20 videos · Jun 25, 2026
In this video, the presenter introduces Nmap, a powerful and free network scanning tool used by hackers and IT professionals to identify live hosts, open ports, and potential vulnerabilities within a network. The tutorial covers basic commands to scan an entire network quickly, demonstrating how to find active hosts and check for open ports, particularly those associated with web servers. The presenter also explains the TCP three-way handshake process that Nmap employs to determine if ports are open and discusses stealth scanning techniques to avoid detection by firewalls. Additionally, viewers are encouraged to explore further learning resources through IT Pro TV, which offers a discount for using a specific promo code. Overall, the video emphasizes the importance of Nmap for network reconnaissance and provides actionable insights for effective network scanning.
with just one command I scanned my entire network now my hacking targets found out what operating systems are running what ports are open and even found vulnerabilities that I can exploit that is the power of in map a free essential tool for hackers and pretty much anyone and IT let's get started you need to learn learn learn hacking in a map or network mapper is the tool used by hackers to scan network so we can find live host or find targets to hack and we can also use this tool to find out more information about these targets a process called enumeration so in this video we're gonna break down in map I'll show you how to use it I'll show you how it works let's do it oh and by the way if you want to go deeper than what I'm showing you here check out IT Pro TV they are the sponsor of my hacking journey they're my primary learning source and if you used my link below or code network chuck you'll get 30% off everything forever so check them out oh and by the way you can install in map anywhere Windows Mac OS Linux and you're gonna see me using Kali in map is amazing let me show you why let's say I have a server on my network and I do 10.7 dot 1 and dot 2 to 6 how would I typically find out if that host is they're up and running while we just use ping right ping 10 dot 7.1.2 to 6 ok BAM I'm getting response it's up now that's fine for pinging one device but what if I want to ping an entire network it becomes kind of a problem so my home network here is 10.7 dot 1.0 slash 24 which means that this network could have 254 hosts or endpoints that I could attack again who wants us to hear in ping 254 hosts not this guy so let's use nmap I'll use a command in map and then a switch it'll be lowercase s capital P and then my network and go and in 2.7 1 seconds I found out that 15 hosts were up here's the list right here that's amazing do it in your network right now ok all right we automated the pinging of hosts in a network big deal Chuck you're right and map can do a lot more a lot more like check this out you see as a hacker just knowing these hosts are up is not good enough for me I need more info than that if I look at the scanning methodology the ec-council goes by we just covered step one checking if systems are alive but now I want to look at step two check for open ports let's say my goal is to hack websites and I want to find all endpoints or servers in my network that are running a website where am I going to look for well typically look at report like 80 or port 443 these ports will typically be open on a server if they're running a website that's how people access them by accessing those ports within map we can find that information superfast check this out or throw sudo in here and then do in map - or tick lowercase s capital T I'll explain that here in a moment and then say I'm looking for servers using port 80 and 443 I'll do a - P and then 80 and 443 and then I'll specify my network 10.7 1.0 / 24 let's go-oh sudo password now let's go coffee break that was incredibly fast oh my gosh 2.3 nine seconds yes okay so what are we find well here's the scam report for the host ten dot 7.1.2 eleven we can see that port 80 and 443 are both closed so probably not a webserver safe to assume but host two seven one two two six BAM both of these ports are open probably maybe a webserver and we can quickly scroll through our results to see what other open ports we have like here's another one and it just has port 443 open now this is cool but even cooler is how it actually works check this up looking at my end map command I use the switch - st or tick st this is a type of port scan called a TCP connect or you might see it as a full open scan and the magic is in the TCP using the three-way handshake I just said a lot of words what is all that if you don't know I'm gonna cover it real quick right now let's first start with what is TCP it's a protocol the transport control protocol and what you got to know about it right now is that when let's say my computer wants to talk to a server or even another computer it's the TCP protocol a networking protocol that tells us how we communicate how do we start the conversation how do we keep it going the rules for starting and establishing this conversation are often referred to as the three-way handshake and it's what nmap actually uses to do all its magic a check if ports are open and essentially here's how it works let's say this is a web server and it's serving up David bumble comm if I want to visit David bumble comm I have to start a conversation with that server so I'll start out by sending David bumble a message saying David bubblegum hey I got something to tell you I want to talk to you are you there and this is referred to as a syn packet or a synchronization message now because David bumble comm is a web server I want to talk to him on port 443 so that's where I'm sitting this I'm saying hey David bumble comm on port 443 are you awake if he is if he's listening on that port he should respond saying yep I am awake I am here I'm ready to talk this is referred to as a syn ACK I'm like yeah yeah let's talk let's do this so I respond back with a ACK yeah I'm here I'm ready let's talk three-way handshake and this is what nmap uses to see if the ports are open now we have a little bit of a problem you see commands like this scans like this on a network might be a bit intrusive you see security features like an IDs which is an intrusion detection system that's often built into firewalls might catch on to this might get you in trouble might stop Union tracks but we can be a bit more stealthy here's what we can do well instead of using the switch - st we'll use a switch - s s so lowercase s capital S and then our ports and our network S is for stealthy that's actually the type of scan that says it's a stealth scan or often referred to as a sin scan or a half-open scan as opposed to the full open scan that we just did the difference being that win in map goes to initiate a three-way handshake see our host here is Tendo 7.1.1 we'll send our send message our send packet let's say port 80 and then hopefully the host responds back with the syn ACK well because we're being stealthy we're gonna say never mind and just walk away we're not gonna do the full complete TCP connection you see the communicate with TCP you have to complete that three-way handshake to establish a connection if that three-way handshake is not completed then there's no connection so we're hoping that by not completing that connection or completing the 3-way handshake process we avoid firewalls going hey what are you doing down there that's that's the idea now security and firewalls have become more advanced and sometimes they can even catch on if we do this to keep that in mind but this is a way to avoid that issue let's do it real quick BAM Oh pseudo stealthy we scanned network and they didn't even see us coming or going or leaving now I want to show you real quick the traffic that we're generating when we do this I want actually show you what it looks like we'll use Wireshark to capture it and then I'll show you so let's do it work like I want to show you the difference I'm gonna change up my command just a little bit I'm still gonna do st which if you remember is the full connection but this time I'm not going to specify a port and I'm not gonna scan my entire network I'll just scan one host tend out 7.1.2 to vi if I don't specify a port nothing bad happens it just it will automatically by default scan the top 1,000 ports or most popular ports and seeing that number makes you think wow it's gonna take forever it actually doesn't let's do it real quick I'll click go and it's done like I told you point 17 seconds now I'll do it again with Wireshark running all right I'm capturing packets let's do that one more time done I'm gonna filter by this IP address and we'll look at one of these conversations here and it's beautiful just like what we talked about here's my and map here's my target port 443 I've got my send message I get a syn ACK back from my target and then I send an act back saying everything's good buddy let's talk on port 443 a full TCP connect and then I'm like you know I didn't have much to say I'm going to end this conversation this flag right here this rst is another flag that is just a reset or ending the conversation on a TCP conversation now let's check out the stealthy one let's start my capture again and then go back to my commands here this time we'll do - s big s and go same results let's see what happened crazy looking huh let's check that same port and follow that path that conversation it's a little bit different right started out the same way I'm like hey you want to talk on 443 I got a send message he replies back yeah yeah let's talk my ports wide open and then I'm like psych nevermind I don't want to have that connection that session established I don't want to get caught I'm just poking my head in the window looking around and I'm coming out they probably tired of hearing me say this but nmap can do a lot more like look at this if you look at the manual page by typing in man and map you can go through and look at all these switches you can use and all the crazy things you can do like for example I can search for let's do - Oh with this switch I can enable OS detection and find out what OS is my targets are using which is obviously really helpful let's try it up sudo and map - capital oh and my host go done so we did a few things here first at ping the host saying hey it's up so I use ping then it went ahead and checked if ports are open so it's using TCP three-way handshakes and then it did its best to guess and it's pretty accurate what OS this thing was using or is using now this is a Linux machine let's try a Windows machine it does work on Windows let's try it I have a domain controller on my other Network send out 77 1.11 and this one's obviously pretty stinkin fun it found a lot of ports that you might find open on a domain controller because it is doing a lot and it learned that I'm using Windows Server 2012 r2 which is pretty crazy right but wait there's more let's get back to our main page man and map I'm a search for - eh this one's a combo search it will do - OH which is OS detection it'll check for versions of protocols oh you what that means here in a second script scanning and traceroute all those words we'll look at it right now sudo and map - a and my host and go now this one was busy it was doing a lot 128 seconds but let's check out what we found found some pretty amazing stuff we've got the SSH host key the version of SSH were using it learned that we're using Apache on port 80 Red Hat Linux doing some file sharing look at that and then to top it all off we have a traceroute to see how far away it is from us and the network that's amazing let's do my Windows machine real quick same command different host different network let's do it now these can take a while if you're like is it still working did it freeze what's going on you can hit enter any time baby I'll give it a second to breathe it'll tell you how fast going the progress sixty eight percent done those twenty five percent earlier how much time is left let's do it again but I'll let it do its thing okay this thing forever come on it's done finally done oh my gosh it took three hundred three seconds seven okay I can read numbers I promise three hundred seven seconds order to find out that's a lot of stuff found out oh my gosh so I found out all the versions of whatever I'm using for the protocols course tell Microsoft based hey look how this info it felt that's awesome my common name here all my SSL cert even the expiration my SMB information which is my file share oh my gosh and then a nice little traceroute so cool I love this okay this video is gonna be too long but I want to show you just two more things okay so stick around here we go the first thing is that you can have a decoy because as you're scanning a network and you want to avoid being found it's called obfuscation I can never say that word obfuscation yeah just basically covering your tracks making sure people can't find you easily because hey if you're scanning a networking you're sending all that traffic something might pick you up well let's get them off the trail so let's do another port scam do a pseudo and map I'll do a net - s T for a full TCP connection and actually I'll just go stealthy we don't want them to find us that's the point right and we'll use the command dash D which stands for decoy and we'll put in a decoy IP address let's just say 10.7 dot one dot this is nothing hey t and I'll put in my target it's in not 7.1.2 - six and this is cool because what it will do is it will still send messages for me putting in the packets that I am the sender right I'm the source but it will also send another one i duplicate changing the source to 10.7 dot one dot eighty so if someone looking through traffic on the network and going man there's a lot of traffic from that one host well you can add decoys to are like there's a lot of traffic from all these hosts which ones doing it I don't know that's the big idea that's that's super cool now final thing I want to show you is awesome in map can do all these things I just showed you but it also has a scripting engine you can write custom scripts written that and map that can do a lot of things let's go find these scripts here's the site it's called the end mapped scripting engine and here's all these scripts you can run one that's cool are all these scripts under vulner which is vulnerabilities it'll actually scan your hosts in addition to seeing if they're up and what ports are open it'll scan to see if they have vulnerabilities that we could exploit that's what I'm talking about that's hacking automation right there now we could go in here and run all these scripts individually but you know what I'm lazy I'm not gonna do that here's what I can do I'm gonna do this pseudo in map the switch for scripts is - - scripts and then I could specify my script but what I'm gonna do here instead is just type in Pavan which should use every one of those scripts in that category what ok now let's do my host now this will take a bit so I'm gonna do this and coffee break oh sorry it's script now scripts add scripts on the brain here we go go go and we wait and it's done 106 seconds not too bad actually let's see what it did now I have to be honest there will be a lot of vulnerabilities on this particular box because the server is from vuln up but basically the script went through and analyzed this box for any vulnerabilities using the CVEs which is common vulnerabilities and exposures it's a list that's maintained and it found some obviously which is awesome and we could then go ahead and exploit those because those are known vulnerabilities easy enough right oh and by the way Voland hub it's awesome that box I downloaded is actually called key op tricks let me find it real quick and they have five different versions it's a VM you can download and it's designed to help you start hacking things so it's the vulnerable blocks that you should be able to hack and there's walkthroughs and all kinds of challenges but yeah I picked this because it's gonna be vulnerable and a huge shout-out to the guy who created this who I was talking to the other day he's a founder of the site he's a hacking genius go follow him I'll put a link below oh by the way content on these will be coming there they're pretty cool now this was just a quick overview of nmap and why it's amazing if you want to become a hacker if you want to get your ceh or any other hacking certification you do need to become more familiar than what i just covered with nmap here's some of the other switches you might want to learn put these on note cards practice them lab them understand what they are understand how networking works with these situations I forgot to cover this right here actually the the speeds you can lower the speed in which it scans things so you can avoid being detected the default is t3 which is a pretty normal speed skin as it says normal speed scan right there but you can go slower to avoid detection I tried that I'd lost patience and I went faster but you can do that and that nmap just one tool we'll use for the scanning and enumeration part of hacking and if you're going through the SI eh this is a vital step if you check out the ec-council official course scanning in enumeration or module three and four so pretty vital and please don't consider this a deep dive on everything you need to know for scanning an enumeration I showed you and map and some really fun things you can do with it if you want to dive deeper which I encourage you to in fact I'm hoping this video makes you dive deeper go check out IT Pro TV I only have like one 16 minute video and they have a bunch of videos that you can go and dive deeper with not to mention they have virtual labs you can just immediately start playing with stuff you don't have to set up a lab it's just there you play with it it's awesome again link below or code network chuck for that you get 30% off forever so check it out it's it's worth it I'm not a hacker yet I know that but I got just a little bit closer today by studying in map scanning and enumeration I hope that if you watch this video you got just a little bit closer to becoming a hacker as well so if you like what I'm doing if you want to keep watching my journey to see if I actually become a hacker well subscribe hit that like button to help the YouTube algorithm and hit that notification bell so you get notified when I launch stuff videos and such well that's pretty much it that's all I got let me know what you thought of the video below in the comments let me know if you used in map or if you're going to use in map I'd love to hear the cool ways you're going to use it I'll catch you guys next time [Music]
The video provides a comprehensive guide on using Nmap, a powerful tool for network reconnaissance and cybersecurity auditing. It covers the evolution of Nmap from a simple port scanner to a suite of advanced networking tools, including features like the Nmap Scripting Engine (NSE) and Zenmap, its GUI counterpart. Viewers are warned about the legal implications of scanning networks without authorization and the potential impact on system performance. The tutorial also walks through the installation process, emphasizing the benefits of building Nmap from source for the latest features and customization options. Finally, it introduces basic scanning techniques and commands, encouraging users to explore Nmap's capabilities further.
are you tired of constantly wondering how to use n map and what it is capable of well where you know more in this comprehensive guide I'm going to take you through everything you need to know about end map from the basics to the more advanced features by the end of this video you will never have to ask again about end map you just become Pro after this video this video isn't just your average watch it's a full-fledged end map Expedition grab your learning gear because we're diving deep if you're not prepared to Unleash Your Inner detect this might not be the video for you all right let's start with the foundation of in in in map picture this back in the day the genius Gordon lion aaot dropped the bomb that is end map in the legendary pages of Frack magazine v 7 issue 51 you can still Catch The Vibes of its Inception at their website fast forward to today an nmap is still stealing the spotlight as one of the Holy Grails in network reconnaissance and cyber security auditing it all started as a bang up Port scanner blowing Minds with groundbreaking techniques for Port Discovery but oh my friends it didn't stop there nmap has evolved into a family of Rockstar networking tools featuring Headliners like en crack the Rockstar of network authentication cracking jamming out support for all your favorite applications and protocols then we've got incat the upgraded version of netcat on steroids rocking encryption out of the box and getting all fancy with Luis scripts but wait there's more enter and ping the Maestro of custom Network packet crafting for all your Diagnostics and troubleshooting needs and let's not forget zenmap the crossplatform GUI for nmap where usability meets sophistication and in the heart of it all we've got the nmap scripting engine nsea game Cher it snatches up Intel from scan targets and hands you the power to script additional tasks using Lua it's like having a cyber wizard at your fingertips weaving magic spells in the world of networking before delving into the end map it's crucial to grasp the following concepts firewalls routers proxy servers and other security devices can influence and map scan results scanning remote hosts outside your local network May yield misleading information due to these factors certain scanning options necessitate elevated privileges on Unix and Linux systems you might need to log in as the root user or execute nmap using the pseudo command alongside these considerations it's essential to heed the following warnings scanning networks without proper authorization can lead to repercussions with your internet service provider law enforcement and potentially government entities avoid scanning sensitive sites like FBI or Secret Service websites unless you want legal trouble aggressively scanning certain systems May induce crashes resulting in undesirable outcomes such as system downtime and data loss exercise caution when scanning Mission critical systems approach each scan with the awareness of potential consequences installing nmap unlocking the full potential of nmap goes beyond the default pre-installation in ki Linux let's take control and Elevate our capabilities by installing nmap from the source code why source code you ask well my friends let's talk about the beauty of installing nmap Straight From the Source you see when you embark on the Journey of building nmap from the raw unfiltered Source codee you're opening the door to a realm of possibilities the first perk my friends is the Allure of the latest and greatest features by immersing yourself in the source code you get to bask in the glory of the freshest functionalities and the sweet Nector of bug fixes it's like sipping on the elixir of progress customization ah now that's where the magic happens imagine having the power to tailor end map to your heart's desire enable what you need disable what you don't it's a dance of options a symphony of choice all at the tip of your command line building end map from Source takes a little extra work but is well worth the effort to get the new features in nmap's latest release pre-compiled nmap packages can be found for all major platforms at this page for those who do not feel like setting up the build environment when working with precompiled packages just make sure that you grabb the latest version to avoid missing important fixes or enhance ments this is especially important with Windows and the npap driver which has gone through some serious improvements before we proceed let's ensure that subversion is installed on your colie Linux Ki typically comes pre-installed with subversion so you need not worry simply open the terminal and type SVN as you can see it's already installed as it should be you'll see the familiar commands if in some cases it's not installed don't fret will prompt you to install it just type why and it will seamlessly install for you the subversion repository hosted at this link contains the latest development version of nmap and has World red access that allows anyone to grab a copy of the source code the installation process described in this recipe also installed ncat zenmap n if and and and nping as we embark on this journey building nmap requires additional libraries like the development definition from op sell and the make Command execute the following command to install the necessary dependencies it's important to note that while open SSL is optional its absence may nmap functionality nmap relies on open SSL for Vital functions such as integers hashing and encoding and decoding SSL requests crucial for both service detection and the nmap scripting engine [Music] having completed the preliminary steps we are now set to install nmap from the source code first things first type the following command SVN nmap source code [Music] link this command initiates the download and listing of [Music] files once it completes you'll receive a message indicating that a new directory containing the source code is now available in your current working directory assuming you've installed all the necessary dependencies you're now ready to compile and map navigate to the directory by typing CDN map [Music] for a complete list of configuration directives use the help command argument do/ configure [Music] help then execute the configuration command do/ configure this command initiates the config figuration process be patient for a few minutes [Music] upon successful completion of the configuration you should see a message indicating [Music] so now it's time to compile n map simply type make this will compile nmap and you'll be ready to utilize its enhanced capabilities on your system [Music] oh no we got error no worries after some diligent research we found a solution to fix this issue simply downgrade the setup tools version by typing the following command now let's give it another shot type make install [Music] upon successful completion you'll receive a message confirming that nmap has been installed you're now all set to unleash the power of nmap across your entire system now that we've successfully compiled nmap we are all set to roll if for instance you wish to open zenmap follow these simple steps navigate to the zenmap directory by entering CD zenmap then execute zenmap by typing do/ [Music] zenmap you're now ready to explore the powerful features of zenmap on your system you can use others too like this but end map is ready to go [Music] if you want to try the latest creations of the development team there is a folder named nmap exp that contains several experimental branches of the project the code stored in this folder is not guaranteed to work all the time as it is used as a Sandbox spy Developers although some hidden gems can be found there from time to time these branches are located at this website okay now we are good to start scanning but if you want to install nmap on your windows it is so simple I will put a link on description you can download it from there now let's embark on the inmap journey progressing from the basics to advance techniques let's kick things off with a straightforward scan no fancy end map options involved before we embark on this journey it's essential to clarify that my target is my Windows Virtual Machine Additionally the scan me insecure org server serves as a common example Target frequently used throughout this video it's worth noting that this particular system is graciously hosted by the nmap project in the sacred realm of command line incantation seek Enlightenment and Guidance with a venerable n map Behold The Mystic symbols H shall reveal unto you a summary of the available incantations and map H but Lo should your thirst for knowledge remain unquenched delve deeper into the Arcane teachings of enmap utter the sacred invocation to open the manual and partake in the wisdom it bestows upon the worthy man and map in the sacred Scrolls of the manual page you shall find a wealth of knowledge revealing the secrets and nuances of nmap's mystical Powers the capital V option in nmap is used to display the installed version of the tool it can be helpful for troubleshooting and ensuring that you are using the latest version which may include bug fixes and new features to use this option you can run the following command in your terminal or command prompt nmap capital V this command will display information about the nmap version installed on your system if you encounter any issues or if you want to stay updated with the latest features and Bug fixes it's a good practice to check the official nmap website for the most recent version the small V option in nmap is used to enable verbose output providing more detailed information during the scanning process it can be helpful for troubleshooting connectivity issues and gaining insights into the scans progress to use this option you can run the following command in your terminal or command prompt mmap small V your target this command will perform a scan on the specified Target with verbose output enabled if you want even more detailed information you can use the option multiple times such as nmap small double v your target this will increase the verbosity level and provide additional details about the scanning process embarking on a targeted exploration executing mmap without any command line options initiates a fundamental scan on the specified Target which can be denoted by an IP address or host name just type inmap your target what happens next in map The Wizard of network probing systematically scans the 1,000 most common TCP IP ports now each Port responding to its probing reveals its Secrets falling into one of these six intriguing States open it's like a neon sign saying come on in a service is actively awaiting connections on this port closed probes were received but it's like knocking on a door with no one home no service is running on this port filtered the mysterious cloak no signs of probes no established state something's filtering those signals could be a security wizard at play unfiltered probes were received but a clear State remains elusive the plot thickens open and filtered a tantalizing blend of possibility the port might be open or filtered but the exact State remains a bit elusive closed and filtered a double mystery the port is either closed or filtered but the precise State continues to play hide and seek so with this Voyage Through Port States nmap unveils the secrets of your target service [Music] landscape exploring multiple targets and map has your back the simplest way to achieve this is by stringing together the target IP addresses or host names on the command line separated by spaces [Music] ready to scan a whole subnet nmap makes it Easy by using cidr classless interdomain routing notation just type nmap Network ip/ cidr this command directs M map to scan the entire IP address Network leveraging cidr notation cidr notation is a compact representation of the network address and subnet mask in binary bits conveniently separated by a [Music] slash to scan a range of IP addresses simply type nmap range of IP addresses this allows nmap to Target a specified range of IP addresses for thorough scanning [Music] to scan a list of targets efficiently you can create a text file for example ip. txt containing the IP addresses or host names of the systems you want to scan each entry in the file should be separated by a space tab or new line for instance if your file ip. txt contains a list of IP addresses is you can initiate the scan by typing nmap I capital L ip. txt the i l parameter is crucial here as it instructs nmap to extract the list of targets from the specified file this scan will be executed individually for each host mentioned in the file allowing for a comprehensive assessment of multiple systems [Music] to fine-tune your scans nmap offers the exclude option allowing you to Omit specific hosts during a scan for instance nmap your targets exclude Target this option proves valuable when dealing with a substantial number of addresses enabling you to selectively exclude certain hosts the exclude option accommodates single hosts ranges or entire Network [Music] blocks Additionally you can Leverage The exclude file option which functions similarly to exclude but allows you to provide a list of targets to be excluded from the network scan for example nmap your targets exclude file your file name in this scenario the targets listed in the ip.
txt file will be excluded from the scan providing flexibility in tailoring your scanning [Music] parameters when it comes to network interface selection nmap usually does a great job of automatically detecting your active interface however there are situations where it might encounter challenges or you specifically need to choose a different interface to address networking issues in such cases you can utilize the E argument to instruct nmap to scan using a particular network interface nmap e interface Target this becomes necessary when dealing with broadcast scripts or if you come across the warning message warning unable to find appropriate interface Forst System Route two by specifying the interface you can overcome these challenges and ensure a more accurate and targeted [Music] scan venturing into the realm of IPv6 nmap has you covered with the six parameter designed for scanning IP version six targets for instance inmap 6 Target executing this command unveils the results of scanning an IPv6 Target it's worth noting that while most nmap options seamlessly support IPv6 there are exceptions multiple Target scanning using ranges and cidr for example is rendered pointless in IPv6 [Music] networks fancy a roll of the dice in cyberspace end Maps got you covered with the IR parameter allowing you to scan random internet hosts for instance nmap I capital r number of targets executing this command prompts nmap to randomly generate a specified number of targets and scan them while it might be an interesting exercise for research purposes or sheer curiosity it's crucial to note that conducting frequent and aggressive random scans could potentially lead to issues with your internet service provider so proceed with caution unless you're working on a research project [Music] Unleash the Power of understanding Port states with this special command mmap reason your target when you run this you'll notice a new reason field in the results it's like a Dakota revealing the secrets behind why each Port is in its current state whether it's open closed or filtered by a firewall think of it as your magical guide helping you make sense of the Hidden forces within the realm of network exploration may your scanning Journey be clear and full of [Music] Revelations simplify your scan results with the power of focus and map open your Target by using the open parameter you tellin map to cut through the noise and show only the open ports it's like a spotlight in the darkness revealing the crucial entry points and keeping your results clear and concise [Music] uncover the secrets of network communication with the packet Trace magic nmap packet trace your Target by using packet Trace nmap reveals a detailed log of every packets Journey sent and received it's your backstage pass to the network performance perfect for troubleshooting connectivity hiccups all right let's delve into the Myriad of Port SC scanning options that nmap has to offer in the vast expanse of TCP IP ports totaling 131,072 whether to unveil uncommon services or to trace ports redirected to Alternative locations this section unfolds the options that Grant you the power to extend your scans into different port territories and explores various features tailored for Port specific investigations let's unravel the possibilities that lie beyond the customary Port limits to kick things off with a swifter approach the F option in nmap is your ticket to a speedy scan focusing solely on the 100 most prevalent ports here's how to unleash this rapid exploration inmap capital F your target while nmap by default meticulously examines the top 1,000 commonly used ports the F option strategically trims that list down to 100 this not only dramatically accelerates your scanning Pace but also ensures that you're still capturing the essence of the most commonly used ports it's a powerful trade-off between speed and comprehens intensiveness designed to optimize your scanning [Music] experience intricate world of Port scanning the P option in nmap acts as your Guiding Light allowing you to pinpoint and scrutinize specific ports with finesse let's unravel the possibilities nmap P Port that you want then your target for instance the command above harnesses P to hone in on Port 80 but why stop there the P option goes beyond solitary Pursuits you can explore multiple individual ports separated by commas or even a captivating range of ports witness the flexibility mmap Port 1 Port two Etc or range of ports your target yet the P option doesn't merely stop at numerical values it Embraces the eloquence of Port names and map P Port names your target as Illustrated you can seek open ports by name where the specified names must align with a service listed in the nmap services file in the Symphony of Port scanning options the P option in nmap reveals yet yet another note the Wild Card asterisk this wild card when employed with P becomes a powerful tool to scan all 65 535 TCP IP ports on the target of your choice nmap P asterisk your target crucially the use of double quotes is imperative to encapsulate the wildcard statement preventing your system from misinterpreting it as a shell wild card this ensures Precision in your command execution in essence the this command is an invocation to explore every nook and cranny of the target's Port landscape an all-encompassing journey into the entire spectrum of TCP IP ports embarking on the intricate journey of Port scanning the P option in nmap stands as a versatile Ally its capabilities extend to scanning ports based on specific protocols introducing a nuanced approach to your exploration imagine this scenario a craving for a meticulous examination of both UDP and TCP ports enter the command nmap S capital u s Capital TP u53 T25 your target here nmap by default tends to focus solely on TCP ports to broaden your scope and Encompass both TCP and UDP ports additional scan types like Su and St need to be activated a topic will delve into an an upcoming section this command orchestrates a symphony of exploration executing a UD P scan on Port 53 and a TCP scan on Port 25 it's a masterful blend of precision and protocol specific scrutiny unraveling the Mysteries concealed within each port and protocol combination in the expansive realm of Port scanning the P option remains a steadfast [Music] guide traversing the intricate landscape of Port scanning the top ports option in nmap becomes a crucial tool allowing you to define the number of top ranked ports for a meticulous exploration nmap top ports number of top ports that you want to scan than your Target by default nmap sets its sights on the vast sea of the 1,000 most commonly used ports a number curtailed to a Nimble 100 with the F option however with the top ports option you take the helm determining the specific quantity of top ranked ports to scrutinize nmap top port 10 your Target in this command observe the top ports option in action guiding nmap to inspect the top 10 ports yet the true strength lies in your hands any number can be specified embarking on a methodical exploration of Port scanning the r option in nmap unveils the capability to perform a sequential port scan on the designated Target for instance nmap are your target map's default scanning algorithm orchestrates a random order for Port scans a strategic maneuver to evade firewalls and intrusion prevention systems however the r parameter serves as a directive overriding this Randomness and guiding nmap to systematically seek open ports in numerical order to enhance your understanding consider combining the V option with r nmap VR your target this combination provides a real time display of the sequential Port Discovery unraveling the exploration process as it unfolds all right guys those was basic scanning technique and with no options it not good scanning techniques but I just want to show you some basic for starting to scan the default Discovery options aren't useful when scanning secured systems and can hinder scanning progress now let's delve into some foundational scanning techniques with a touch of advanced exploration let's take a detour from the default ordinarily before nmap delves into scanning A System's open ports it initiates a quick ping to check if the target is online this smart move helps expedite the scanning process by skipping non-responsive targets now if you want to skip the default discovery check and go for a comprehensive port scan you can use nmap capital P capital N your target the the PN option tells nmap to forgo the default Discovery step which is particularly handy when dealing with hosts protected by firewalls that block ping probes sometimes you just want to say hello with a ping the s p option and nmap lets you do just that nmap S capital P your target this option is handy when you're on a reconnaissance mission seeking a quick overview of the online hosts in your Network without delving into the intricacies of Port scanning for instance nmap S capital P 10 02/24 in this example nmap pings all 254 addresses in the 10.0.2 subnet presenting results for live hosts when running nmap with root privileges on a local network the SP option kicks it up a notch performing an ARP ping and returning the Mac addresses of the discovered [Music] systems performing a TCP s ping can be a handy alternative especially when standard icmp pings are blocked here's how to use the PS option in nmap nmap capital P capital S your target the PS option initiates a TCP sin ping by sending a sin packet to the Target system and then listens for a response on the specified ports if you specified ports this approach is particularly effective for systems configured to block standard icmp pings by default if no specific ports are provided the Ping is sent to Port 80 this method provides a reliable way to discover live hosts and assess network connectivity without relying on icmp [Music] engaging in network discovery with nmap the p option lets you perform a TCP act Ping On a specified Target here's how to use it nmap capital P capital A your target when employed the PA option prompts nmap to dispatch TCP act packets to the specified hosts this method is designed to discover hosts by responding to TCP connections that don't actually exist aiming to elicit a response from the target it proves particularly valuable in scenarios where standard icmp pings are blocked offering an alternative means of network exploration for a different approach to network discovery the Pu option in nmap allows you to perform a UDP Ping On A Target system here's how to use it nmap capital P capital u ports that you want then your target when invoked the Pu option directs nmap to dispatch UDP packets to the specified hosts aiming to elicit a response while many firewalled systems are configured to block this type of connection some poorly configured systems might allow it especially if they are set up to filter TCP connections exclusively by default if no specific ports are provided the UDP ping is sent to Port 481 25 this method serves as an alternative means of network exploration particularly useful in situations where TCP connections are filtered or blocked exploring network connectivity with nmap the py parameter empowers you to execute an sctp init Ping On a specified Target here's how to utilize it nmap capital P capital Y ports that you want then your target when employing the py option nmap Endeavors to discover hosts using the stream control transmission protocol sctp is commonly employed on systems for IP based telepan by default if no specific ports are provided the sctp init ping is sent to Port 80 this method offers a unique approach to network exploration particularly relevant in contexts where sctp is used such as in IP based telephony [Music] systems for a classic approach to network discovery the PE option in nmap enables you to execute an icmp internet control message protocol Echo Ping On a specified system here's how to use it inap capital P capital E then your target when you employ the PE option nmap sends a standard icmp ping to the Target to check if it replies this type of Discovery is particularly effective on local networks where icmp packets can be transmitted with few restrictions however it's essential to note that many internet hosts are configured not to respond to icmp packets for security reasons it's worth mentioning that the PE option is automatically implied if no other ping options are specified this ensures a straightforward icmp Echo ping when no other ping methods are explicitly chosen in the realm of network exploration the pp option in nmap allows you to conduct an icmp timestamp Ping On a specified Target here's how to utilize it nmap capital double P then your target when you invoke the pp option nmap engages in an icmp timestamp ping while many firewall systems are set up to block icmp Echo requests some improp properly configured systems might still respond to icmp timestamp requests this unique approach with PP proves valuable for attempting to solicit responses from targets behind firewalls however it's crucial to exercise caution and respect security policies when using such probing [Music] techniques delving into icmp exploration the PM option in nmap enables an icmp address mask Ping On a specified Target here's how to use it nmap capital P capital N your target this atypical icmp query akin to the pp option Endeavors to Ping the specified host using alternative icmp registers the uniqueness of this type of ping lies in its ability to occasionally bypass firewalls configured to block standard Echo requests in the realm of n work probing the PO option in nmap allows you to execute an IP protocol Ping On a specified Target here's how to utilize it nmap capital P capital O protocols that you want then your target when you use the PO option nmap dispatches packets with the specified protocols to the Target if no Protocols are explicitly specified the default protocols 1 icmp 2 igmp and for IP and IP are utilized this approach provides a versatile means of probing a Target system using different IP protocols offering flexibility in network exploration engaging in local network discovery the pr option in nmap empowers you to execute an ARP or address resolution protocol Ping On a specified Target here's how to utilize it nmap capital p capital r your [Music] target the pr option is automatically implied when scanning the local network this discovery method based on a RP is notably faster than other ping methods and offers increased accuracy because Lan hosts can't block ARP requests even if they are situated behind a firewall it's important to note that ARP scans are restricted to targets within your local subnet this method excels in local network scenar iios providing a Swift and accurate means of identifying live hosts embarking on a journey of network exploration the trace route parameter in nmap allows you to trace the network path to a specified host here's how to utilize it nmap trace route your target executing this command provides information similar to the trace route or Trace path commands found on Unix and Linux systems however nmap's tracing functionality surpasses these commands offering additional benefits in terms of accuracy and features trace route with nmap proves to be a powerful tool for understanding the route that Network packets take to reach a destination aiding in network Diagnostics and optimization efforts venturing into the realm of reconnaissance the r parameter in nmap empowers you to Force reverse DNS resolution on a specified Target IP address here's how to use it mmap capital r your Target by default mmat performs reverse Dems resolution only for hosts that appear to be online the r option proves beneficial when conducting reconnaissance on a block of IP addresses as it prompts nmap to attempt resolving the reverse DNS information for every IP address this can unveil interest details about the target IP address even if it is offline or blocking n Maps probes however it's important to note that the r option can significantly impact the performance of a scan so it should be used judiciously based on the specific requirements of your reconnaissance [Music] efforts in the Quest for faster scan results the nend parameter in nmap allows you to disable reverse DNS lookups here's how to use it n map and your target enabling the N option proves to be a strategic Choice especially when scanning a large number of hosts as reverse DNS resolution can significantly slow down the process by opting for n you prioritize scan speed over obtaining DNS information for the Target system this option is particularly useful in scenarios where you don't require detailed DNS information and prefer Swift scan results it's a practical choice for efficiency when the focus is primarily on the IP level details of the [Music] targets exploring alternative DNS lookup methods the system DNS option in nmap directs the tool to utilize the host systems DNS resolver rather than its internal method here's how to use it nmap system DNS your target while this option is seldom used due to its slower performance compared to the default method it can be valuable in scenarios where troubleshooting DNS problems with nmap is necessary it provides an alternative approach to dn's resolution leveraging the host systems DNS resolver it's important to note that the system resolver is automatically employed for IPv6 scans as nmap has not fully implemented its own internal IPv6 resolver at the time of this information update in the pursuit of customizing DNS server usage the DN serers option in nmap allows you to manually specify DNS servers to be queried during scanning here's how to use it nmap DNS servers server 1 server 2 Etc then your Target by default naap utilizes the DNS servers configured on your local system for name resolution however the DNS server option empowers you to specify one or more alternative servers for nmap to query this proves useful in situations where DNS is not configured on the system or if you wish to avoid having your scan lookups recorded in the log files of your locally configured DNS server this option provides flexibility in tailoring the DNS resolution process according to your specific requirements during scanning now let's dive in advanced scanning with nmap in this exploration we're not just sticking to the basics nmap opens up a plethora of possibilities with its user selectable scan types allowing you to tailor your scans to the unique challenges posed by each Target system by default nmap gracefully executes a basic TCP scan on every Target but the real adventure begins when we venture into more complex territories picture this you need to unveil those elusive uncommon services or gracefully maneuver around a firewall this is where the advanced scan type come to the rescue throughout this journey we'll unravel the intricacies of these Advanced scans empowering you with the knowledge to navigate the diverse Landscapes of network discovery TCP or UDP we've got you covered it's like having a versatile toolkit at your disposal each scan type A Unique tool designed for specific challenges diving into the world of TCP sin scans with n map the SS option is your key to performing a TCP sin scan n and here's how you wield it nmap S capital S your target now let's break it down the TCP sin scan set as the default for privileged users those running as rude on Unix Linux or administrator on Windows is a strategic exploration tactic this scan Endeavors to pinpoint the 1,000 most commonly used TCP ports by delicately sending a sin packet to the Target and keenly listening for a response what makes it stealthy you ask well this scan doesn't boldly attempt to establish a full-fledged connection with the remote host it operates in the shadows preventing many systems from logging a connection attempt from your scan a truly ninja move in the world of network reconnaissance but here's the reality check stealth isn't a guarantee modern packet capture programs and advanced firewalls have evolved to detect the subtle Footprints of TCP sin [Music] scans let's delve into the realm of t TCP connect scans with nmap the St option is your gateway to performing a TCP connect scan and here's how you wield it nmap S capital T then your target now let's unravel the magic the TCP connect scan executed by default for non-privileged users and also used for IPv6 targets is a straightforward probe it boldly attempts to establish a direct connection with the remote system bypassing the stealthiness associated with with other scan types here's a pro tip while the TCP connect scan is effective it's generally advisable to execute nmap with root privileges whenever possible why because with root privileges nmap opts for a TCP sin scan SS providing a more accurate listing of Port States and significantly boosting scan speed embark on the Journey of UDP exploration within map the Su option is your gate way to performing a UDP or user datagram protocol scan and here's how you command it and map S capital u your target now let's uncover the magic this command gracefully unveils the results of a UDP scan while TCP takes the Limelight as the most commonly used protocol numerous Network Services like DNS DHCP and SNMP rely on the agility of UDP when you're on a network audit Mission it's a Savvy move to check for both t C CP and UDP Services ensuring you paint a comprehensive picture of the target host or network UDP scans add a layer of depth to your exploration capturing those services that might be operating in the subtle Realms of the user datagram protocol Venture into the realm of TCP null scans within map the SN option is your ticket to performing a TCP null scan and here's how you orchestrate it and app S capital N your target now let's unravel the Intrigue a TCP null scan in its enigmatic Glory prompts nmap to dispatch packets with no TCP Flags enabled it's like sending a message with a blank slate setting the packet header to zero why you ask well this method is a crafty way to coax a response from a firewalled system by sending null packets to the Target you're essentially playing a subtle game of trickery seeking a response from systems that might otherwise remain guarded it's a dance in the shadows of network reconnaissance where not all systems choose to unveil their secrets in the face of such probing as you embark on this TCP n scan Adventure remember that the art lies in the unexpected responses the hidden Revelations that may surface in the wake of this nuanced exploration dive into the world of TCP fin scans with nmap the SF option is your key key to performing a TCP fin scan and here's how you command it n map S capital F your target now let's unravel the Intrigue in a TCP fin scan nmap sets the TCP fin bit active when dispatching packets all in a cunning move to elicit a tcpa from the target system in question it's a subtle dance where the absence of a flag becomes a signal seeking acknowledgement from the targeted system why employ such finesse well it's yet another method in the Arsenal of sending unexpected packets a strategy aimed at unraveling information from systems shielded by firewalls it's like tapping on the door with a nuanced Rhythm inviting responses that may reveal more than meets the eye as with any covert exploration not all systems will readily unveil their secrets in the face of such probing the TCP F scan adds an air of sophistication to your reconnaissance toolkit into the festive Spirit of network scanning with the xmus scan using nmap just remember to use the SX flag in your command n map S capital x your target now let's break it down in the xas scan nmap sends packets with special urg Fin and psh flags activated like lighting up a packet in the style of a Christmas tree this unique combination of flags is designed to see if it can get a response from systems protect ected by firewalls imagine it as a playful Holiday Dance of flags trying to get attention from the systems in a creative way however not every system will respond to this festive [Music] probing unveil the Fortress walls utilize the tcpa scan with the essay option in nmap to decipher if your target system is shielded by a firewall n map S capital A your target here's the lowdown with the PCP a scan nmap meticulously probes the Target on the lookout for rst responses no response received that signals the system is filtered if the system retorts with an rst packet it earns the unfiltered badge and discovering that there's a lack of responses on certain ports considered filtered indicates the system is likely fortified by a firewall the unfiltered ports may have their own special rules within the target's firewall architecture keep in mind the saay option doesn't spill the beans on whether the unfiltered ports are open or closed it's on a singular mission to unveil the port filtering status of the [Music] system Unleash the Power of customization with the nmap scan Flags option this feature allows you to craft a custom TCP scan tailored to your needs here's how you can command it n map scan flags flag or Flags then your target Target let's decode it with the scan Flags option you can Define your scan by choosing from various TCP header Flags picture it like assembling your own set of flags for the scan any of this combination of flags listed in this can be used with the scan Flags option so embrace the freedom to customize and create a scan that suits your specific [Music] requirements unravel the tapestry of supported IP protocols on your Target system using the IP protocol scan with the so option in nmap nmap S capital O your target picture this the IP protocol scan unveils the diverse protocols supported by the Target system icmp TCP and UDP commonly stand as the pillars of modern networks armed with this knowledge you can strategically plan your subsequent scans based on the detected protocols for a comprehensive list of IP protols consult the a website Unleash the Power of raw ethernet packets in your network Exploration with the send e option in nmap nmap send eth then your target imagine this by activating send eth nmap ascends to the data link layer Sid stepping the traditional IP layer on your system this strategic move empowers you to send raw ethernet packets offering a solution to potential issues with your system's IP stack embrace the potential of send eth a feature so potent that nmap automatically incorporates it where needed sparing you from the need to frequently specify it as a command line argument elevate your scanning game by delving into the realm of raw ethernet packets with n Maps send death [Music] option harness the flexibility of Ip packets in your scanning Endeavors with n M's send IP option nmap send IP your target here's the Scoop by activating send IP nmap seamlessly integrates with your local systems IP stack utilizing IP packets for scanning purposes this Choice provides an alternative approach compared to the use of raw ethernet packets noteworthy is the fact that the send IP option is automatically invoked by nmap when required sparing you the need to frequently specify it as a command line an argument now let embark on a journey into the realm of operating system and service detection with inmap where it's prow shines in uncovering the mysteries of remote systems mmap boasts a remarkable feature that sets it apart the ability to discern operating systems and services on target machines this capability delves into the responses received during scans aiming to pinpoint the host's operating system and the services it hosts at the heart of this capability lies TCP IP fingerprinting a process that Endeavors to identify the fingerprint left by a target's operating system and software versions while not in exact science nmap developers have meticulously crafted this feature to be both accurate and reliable as with many of nmap's powerful features the art of version detection is at your command offering precise control through an array of arguments explored in this section embark on the quest of uncovering the elusive operating system running on remote targets with nmap's operating system detection capability to unleash this feature wield the O parameter in your nmap command nmap capital O then your target witness the magic as nmap Endeavors to identify the operating system on the remote Target operating system detection is a crafty process analyzing responses from the target to unveil specific characteristics that hint at the OS type for the sleuth to be effective ensure there is at least one open and one closed port on the target system when scanning multiple targets you can utilize the OS scan limit option combined with o directing nmap to skip OS scanning for hosts that don't meet this Criterion for more in-depth exploration couple the V option with o revealing additional information that nmap uncovers about the remote system in instances where nmap struggles to pinpoint the OS accurately take charge and force a guess with the OS scan guess option inmap capital O OS scan guess then your target Behold a list of potential OS matches each accompanied by a percentage indicating nmap's confidence in the proposed match for those who prefer brevity the fuzzy option stands as a synonym serving as a convenient shortcut for the oskan guest feature [Music] delve into the heart of nmap's capabilities with the SV parameter unveiling the intricacies of service version detection nmap S capital V then your target witness the magic as nmap Endeavors to unravel the identity of the vendor and software version for each open ported encounters the scan results unveil a tapestry of information showcasing the software vendor and version numbers for services that nmap successfully identifies for those yearning for deeper insights the version Trace option serves as a beacon of Enlightenment enable it to immerse yourself in verbose version scan activity and map S capital V version trace your target version Trace acts as your guiding companion shedding light on the intricate details of version scan activity whether you seek to debug problems or yearn for additional insights about the target system this option stands ready to assist you on your nmath journey let's explore the intricacies of nmap's timing options a set of versatile tools that allow you to fine-tune the speed of your scans based on specific requirements whether you're navigating a high-speed local network with numerous hosts or carefully scanning slower networks or the vast expanse of the internet these timing options provide the flexibility you [Music] need nmap's timing parameters are versatile and can be expressed in milliseconds by default Additionally you have the flexibility to specify timing parameters in seconds minutes or hours by appending a qualifier to the time argument here's an example showcasing the usage of timing parameters milliseconds or the default one nmap T4 then your target seconds nmap t4s then your target minutes mmap t4m then your target hours nmap t4h your target this flexibility and timing parameters empowers you to tailor nmap scans to your specific requirements adapting to the varied Landscapes of network reconnaissance with precision and control the T parameter serves as a powerful tool to designate a timing template for your nmap scan nmap t 0 to5 your target timing templates offer convenient shortcuts for adjusting the timing options during a scan striking a balance between speed and stealth you can choose from six templates numbered 0 to 5 each tailored for specific purposes the following table provides an overview of each timing template Empower your nmap scans with the flexibility of timing templates allowing you to adapt your reconnaissance strategy to the specific requirements of your scanning [Music] environment fine-tune the parallelism of your nmap scans with the Min parallelism and Max parallelism options nmap Min parallelism number the you want than your target the Min parallelism option allows you to specify the minimum number of parallel port scan operations that nmap should execute simultaneously nmap usually adjusts this value dynamically based on network conditions but you can set a custom value if needed for instance this command ensures that at least 100 parallel operations are performed at any given time while tweaking this parameter May enhance scan performance setting it too high could lead to an acccurate results nmap Max parallelism number that you want then your target conversely the max parallelism option lets you control the maximum number of parallel port scan operations executed by mmap simultaneously for example the command end map Max parallelism one your target restrict Tri and map to perform only one operation at a time although this slows down the scan considerably it minimizes the risk of overwhelming the target system with a flood of packets adjusting these parameters provides flexibility in adapting and map scans to various Network conditions and Target sensitivities refine your nmap scans with the Min host group and Max host group options to control the parallelism of host groups and map Min hos group number than your targets the Min hos group option allows you to set the minimum number of targets that nmap should scan in parallel when scanning multiple targets such as a range or entire subnet nmap organizes the scans into groups for efficiency by default nmap dynamically adjusts these group sizes based on the scan type and network conditions however specifying the Min host group option ensures that nmap aims to keep the group sizes at the specif number nmap Max hos group number your Targets on the other hand the max hos group option enables you to specify the maximum number of targets and map should scan in parallel within a group this option proves useful for controlling Network load or avoiding detection by network security products by setting an appropriate maximum host group size you can find tune your scans to align with specific Network conditions and security considerations fine-tune your nmap scans with the initial rtt timeout and Max rtt timeout options to control round trip time Behavior nmap initial rtt timeout time you want then your target the initial rtt timeout option governs the initial round trip time rtt timeout value utilized by nmap the default timing template T3 sets an initial rtt timeout of 1,000 milliseconds adjusting this value allows you to reduce packet retransmissions due to timeouts and potentially speed up scans however exercise caution when decreasing the value too much as it may lead to inaccurate results inmap Max rtt timeout time that you want than your Target on the other hand the max RT timeout option lets you specify the maximum rtt timeout for a packet response by default nmap dynamically adjusts RT TT timeout options for optimal results with a default maximum rtt timeout of 10 seconds manually setting the maximum rtt timeout lower can accelerate scan times especially on fast and reliable networks conversely a higher maximum rtt timeout prevents nmap from prematurely giving up on slow or unreliable connections choose values judiciously typically between 100 milliseconds for fast networks and 10,000 milliseconds for slower or less reliable connection s fine-tune your nmap scans connections fine-tune your nmap scans with the max retri option allowing you to control the maximum number of probe retransmissions nmap Max retries number that you want then your target the max retries option empowers you to govern the maximum number of probe retransmissions that nmap will attempt typically map dynamically adjusts the number of prob Bri Transmissions based on network conditions however this option offers manual control useful for overriding default settings or troubleshooting connectivity issues adjusting the number of retries can impact scan duration and accuracy setting a higher value increases the time it takes for a scan to complete but may yield more accurate results conversely lowering the max retries speeds up the scan but may risk incomplete results if nmap abandons probes too swiftly strike a balance based on your priorities and the specific conditions of your scanning environment tailor your nmap scan to specific Network conditions with the TTL option allowing you to set the time to live for the packets in milliseconds nmap TTL time than your target the TTL option empowers you to define the TTL value in milliseconds for the packet sent during the scan this becomes particularly valuable when scanning targets on slower connections where conventional packets might expire before receiving a response fine-tune the TTL to optimize your scans Effectiveness ensuring that it aligns with the characteristics of the network environment you are probing streamline your nmap scans by utilizing the host timeout option designed to manage slow or unresponsive hosts during the scanning process nmap host timeout time that you want then your Target when scanning across networks with varying speeds or encountering systems protected by rate limiting fir walls some hosts may take an extended period to respond the host timeout option empowers you to set a specific time interval after which nmap will gracefully terminate the scan for that particular host if it fails to complete within the specified duration this proves invaluable when conducting scans across wide area networks or internet connections allowing you to to maintain efficient scan operations notably nmap's parallel operations enable it to continue scanning other hosts even if one is experiencing delays this mitigates potential bottlenecks caused by slow or unresponsive hosts if a host surpasses the defined timeout with the host timeout option nmap will not display results for that host regardless of any discovered open ports fine-tune your inmap scans with Precision using the scan delay option allowing you to introduce deliberate pauses between probes inmap scan delay time that you want then your target certain systems Implement rate limiting measures that can impact the effectiveness of nmap scans nmap by default dynamically adjusts the scan delay on systems where rate limiting is detected however for scenarios where you have specific knowledge of rate limiting or the presence of intrusion detect ction systems the scan delay option enables you to define a custom time interval between probes ensuring optimal scanning performance to set a maximum threshold for the time between probes the max scan delay option comes into play and map Max scan delay time that you want then your target while the max scan delay option can potentially accelerate your scan it introduces a trade-off between speed and result accuracy along with an increased Lo on the network carefully consider the balance based on your specific scanning requirements and network conditions control the pace of your nmap scans with Precision using the Min rate and Max rate options allowing you to tailor the packet rate based on your specific needs inmap Min rate number then your Target by default nmap dynamically adjusts the packet rate during a scan SC to adapt to network conditions however there are scenarios where you might want to enforce your own minimum packet rate although this is generally not recommended for instance using Min rate 30 in the example above instructs nmap to send a minimum of 30 packets per second but the actual rate may be faster depending on network conditions caution should be exercised when setting Min rate too high as it may compromise the accuracy of the scan to cap the packet rate the max rate option comes into play nmap Max rate number that you want then your Target in this command specifying Max rate 30 ensures that nmat does not send more than 30 packets per second this deliberate throttling can significantly slow down the scan a tactic useful for avoiding intrusion detection systems or targets implementing rate limiting for an exceptionally discret scan consider using Max rate 0.1 instructing nmap to send one pack it every 10 seconds this method adds an extra layer of subtlety to your scanning strategy overcome obstacles posed by targets employing rate limits on RSD or reset packets using the defeat RSD rate limit option in inmap inmap defeat RSD rate limit your target targets that Implement rate limiting on RSD packets can slow down your scans the defeat RSD rate limit option is designed to counter this restriction potentially accelerating your scans however it's crucial to note that using this option may result in less accurate results and is therefore employed sparingly in practice nmap is adept at detecting hosts implementing rate limiting on its own often making the defeat RSD rate limit option unnecessary as a result it sees infrequent use as nmap typically adjusts itself automatically to navigate such Network constraints navigating firewalls with nmap firewalls and intrusion prevention systems are formidable barriers against tools like nmap striving to thwart accurate reconnaissance of protected systems to counter these defenses nmap incorporates several evasion techniques this section delves into the various evasion strategies embedded in nmap to customize the maximum transmission unit or MTU and potentially confused firewalls you can utilize the MTU option in nmap nmap MTU number that you want then your target similar to the F option MTU allows you to set your own MTU for scanning the provided example MTU 16 instructs nmap to use tiny 16 bike packets during the scan it's important to note that the MTU value must be a multiple of eight like 8 16 2432 etc for Effective transmission of fragmented packets some host operating systems may require combining send if with MTU the D option in nmap provides a means to enhance your anonymity during scanning by incorporating one or more decoy addresses inmap D decoy 1 decoy 2 Etc or R&D numbers that you want than your target in a decoy scan naap sends spoofed packets from the specified decoy addresses making it appear as if multiple systems are scanning the target concurrently this helps the true source of the scan blend into a multitude making it more challenging to trace in the example nmap D R&D five directs nmap to generate five random decoys alternatively you can manually specify decoy addresses like this nmap D decoy 1 decoy 2 decoy 3 Etc it's essential to note that excessive use of decoys can lead to network congestion and diminish the effectiveness of the scan some internet service providers may also filter spoof traffic reducing the overall effectiveness of decoys in concealing your scanning activity the SI option in nmap introduces an intriguing technique known as the idle zombie scan nmap S capital I zombie host than your target this unique scanning method leverages an idle system turning it into a zombie to conduct scans on a Target system in the example 1022 acts as the zombie the scan capitalizes on the predictable IP sequence ID generation found in some systems for a successful idle scan the zombie system must genuinely be idle during the scanning process notably no probe packets are sent directly from your system to the Target tget however an initial ping packet is dispatched to the Target unless you combine PN with SI to skip the initial ping this intricate method exploits system Behavior to discreetly gather information without direct interaction for additional details and in-depth information regarding the idle zombie scan technique you can explore the dedicated page on the nmap website nmap Idol scan this resource provides comprehensive insights explanations and guidance on implementing the idle zombie scan effectively delve into the details to enhance your understanding of this unique scanning approach and its applications to manually specify the source port number of a probe in N map you can use the source Port option this option allows you to set a specific port number as the source for all packets in the scan by default nmap randomly selects an available outgoing Source Port however using Source Port enables you to exploit potential weaknesses in firewalls that improperly accept incoming traffic based on a specific port number commonly susceptible ports include 20 or FTP 53 or DNS and 67 or DHCP here's an example of using the source Port option n map Source Port Port that you want then your target additionally the G option is a synonym for Source port providing a convenient shortcut for the same functionality to append random data to probe packets in end map you can use the data length option this option adds a specified amount of additional data to the probes helping to circumvent firewall checks that may be looking for predictable packet sizes here's an example of using the data length option mmath data length number then your target replace number with the desired amount of additional data to be appended and target with the target system or network in the provided example 25 additional bytes are added to all packets sent to the Target adjust the value based on your specific needs to randomize the scanning order of specified Targets in nmap you can use the randomize hosts option this helps prevent scans from being easily detected by firewalls and intrusion detection systems as the targets are scanned in a random order rather than sequentially here's an example of using the randomize hosts option in map randomize hosts targets by randomizing the scan order you add an additional layer of evasion to your scanning activities adjust the command based on your specific requirements and targets to spoof the Mac or media Access Control address of an Ethernet device in nmap you can use the spoof Mac option this can help make your scanning activity more difficult to trace by preventing your actual Mac address from being logged on the target system here's an example of using the spoof Mac option nmap spoof Mac vendor or Mac or zero than your target replace vendor Mac or zero with one of the following param zero generates a random Mac address specific Mac address use the specified Mac address vendor name generates a MAC address from the specified vendor such as Apple Dell 3om etc for example nmap spoof Mac zero then your target this command instructs nmap to generate a random Mac address for the scanning activity adjust the command based on your specific requir requirements and targets the badum option in nmap is used to send packets with incorrect checks Sims to the specified Host this can be utilized as a technique to potentially elicit a response from a poorly configured system or as part of network security audits here's an example command using the badom option inmap badom then your Target in this example nmap will send packets with incorrect checks of to the specified Target however keep in mind that well-configured systems typically won't respond to packets with bad checkum this option is mainly used for specific situations where you are auditing network security or testing against certain configurations nmap script engine the nmap scripting engine NSE is a powerful tool that allows users to develop custom scripts which can be used to harness n Maps Advanced scanning functions in addition to the ability to write your own custom scripts there are also a number of standard built-in scripts that offer some interesting features such as vulnerability detection and exploitation to work some magic with NSC scripts just use the script option it's like casting a spell to reveal hidden secrets nmap script script you want to run then your target for example for instance you want to get information from who is records retrieving who is records can provide valuable information including the registar organization name creation and expiration dates geographical location and abuse contact details nmap facilitates batch processing of who is records for IP addresses or domain names the following command demonstrates how to use nmap for this purpose nmap SN script who is- asterisk then your target let's breaking down the command SN will skip the port scanning phase script who is Will executes NSE scripts matching the file name pattern who is two scripts match this pattern who is IP query is a regional internet who is database and who is domain obtaining referral records until the requested information is found executing this command will provide who is information for the specified Target it's a convenient way to Gather Comprehensive details about IP addresses or domains in a batch fashion let me give you another example to obtain trace route geolocation information to obtain trace route geolocation information using nmap you can utilize the trace route geolocation NSE script the following command demonstrates how to achieve this in map trace route script trace route geolocation then your target let's breaking down the command trace route will initiat a trace route to the specified Target and script trace route geolocation will executes the trace route geolocation nsse script the script will display geolocation coordinates for each hop in the trace route results it relies on an external service from HTTP w WJ plugin com doesn't require an API key and has no query limitations Additionally you can save the results in KML format for later visualization on Google Maps or Google Earth you might want to explore the nmap script engine scripts available on this website for additional functionalities it's a great resource to enhance your understanding and usage of nmap uncover a rich tapestry of possibilities that will not only broaden your understanding but also elevate your proficiency with nmap to new heights this resource offers a diverse range of scripts each serving as a gateway to enhanced functionality and a deeper exploration of the capabilities that nmap has to offer whether you're a season user or just starting this repository is a treasure Trove waiting to be explored output options in nmap ah behold the Myriad ways to record The Echoes of your digital Expeditions nmap the Oracle of networks offers you several Enchanted Scrolls to to transcribe your scan Revelations let's explore these mystical output options when nmap unveils its findings the default display Graces your screen with the essence of discovered ports hosts and their secrets to inscribe your findings for eternity you can harness the power of output files you can use o capital N to save as a text o capital x to save his XML o capital G to save his Gable file or you can use the o parameter saves the output of a scan in text Gable and XML formats in the Grand Theater of network exploration witness the mesmerizing display of scan statistics with the illustrious stats every option let the dance of information unfold before your eyes nmap stats every 2s then your target as you embark on the journey through the network Realms the mystical stats every option commands and map to unveil the status of the ongoing scan at regular intervals in this incantation every 2 seconds the veil is lifted revealing the secrets uncovered so far feel not the annui of a stagnant screen during language scans for the periodic spectacle shall Captivate your attention the timing parameters are at your back and call seconds minutes or hours Anointed with the symbols s m or H absolutely you've done a fantastic job to stick with this video in the intricacies of end map and its various scanning techniques now with Zen map stepping onto the stage it's like having a magic wand to orchestrate these powerful scans effortlessly zenmap with its userfriendly interface turns complex nmap commands into a visual Feast just a few clicks and you're weaving spells with your scans whether you're on Windows Mac OS X or the land of Unix Linux zenmap is there to make your scanning Journey smoother than ever thanks for sticking with this video I hope you found something valuable in the content if there's anything more you'd like to explore or if you have any questions don't hesitate to let me know happy scanning and stay curious if you're interested in learning how to install kie Linux I recommend checking out the instructional video available it provides a stepbystep guide for a comprehensive understanding of the installation process
In this video, David and Chris discuss Chris's recent achievement of passing the Certified Ethical Hacker certification and delve into the use of Nmap, a network mapping tool. Chris explains how Nmap can help discover devices on a network and the importance of understanding its various scanning techniques, particularly the TCP SYN scan and the connect scan. They emphasize the value of practical learning through capturing and analyzing packets with Wireshark, rather than just memorizing command switches. Chris demonstrates a simple Nmap scan, highlighting the difference between open and closed ports and the concept of a stealth scan, which is designed to minimize detection by the target system. The video encourages viewers to follow along by downloading a sample packet capture file for further exploration.
hey everyone it's david bomble back with chris chris you recently passed a security certification and i'm hoping that we could do a security video today but firstly welcome hey it's great to be here david and wow that's a way to to come out the gate so yeah what so did you do i went ahead and did the certified ethical hacker ch and i know i know i know i know there's a lot of different opinions floating around around that one and uh definitely we'll dig into that one but i actually had a client what happened is i had a client that went ahead and asked me to get it and they went in and helped me out with that so so so um boy did i learn a lot david that said the the test is another thing but i certainly enjoyed getting into a lot of different new topics for me coming from a packet background [Music] i'm hoping you're going to teach us something about nmap oh yeah for sure this is a tool that i've used for years but i just hadn't used it to this level until i started really digging into it for me i'm the kind of guy if i don't see it at the packet level with wireshark i don't really understand it i came from a background of that's that's what i would first do with the tool i i see a tool i start up wireshark and then i compare what wireshark sees with what that tool output gives me so that's why we're here about nmap yeah so explain what are we going to look at today because i'm hoping that you're going to run nmap and then do something and then we're going to actually look at the packets is that what we're going to do yeah for sure if you are out there studying for a cyber security certification uh nmap switches are going to be on your test i mean you're going to have to know them now learning them is another story uh really we have one of two ways of doing it you can either flash card and okay what is dash s capital s dash s t dash s what are all those switches and what do they do or you can use it practically and have a lot more fun doing it so which one sounds better to you the best way to learn any protocol is to just capture it and have a look at what it's actually doing not what the textbook tells you it's doing so take it away chris show us what you you know i'm hoping you to start wireshark like right now and show us what's going on yeah why not that's always fun let's take a let's get those packets going so nmap let's just take a look at nmap so so basically what nmap does it's network mapper all right so it allows us to discover devices on a network why is that important well how are we going to go in and try to hack a device or even inventory devices i've used nmap just scanning around my own network and taking a look at what's there and what ports are available even doing like an internal pen test on myself and nmap allows us to do that now there's a thousand switches with nmap or options and if you look through the the actual help of nmap uh there's a lot that it can do and and and we can see some of those here david look at all these switches so we have host discovery target specifications scan techniques port specification looking at services even enumerating operating systems so we can take nmap and we can launch it at a device and we can learn a lot more about the type of os that that device is running why important because how can i find a vulnerability to then exploit if i don't know the operating system okay so yeah i'm hoping you to show us at some point i believe that's in a separate video we we're going to cover that as well yeah we'll get there but first we want to just talk about some basics and understand more about how nmap works so let's just do this now like a question would be like what's the difference between a like a normal scan and a stealth scan and uh you know there's a lot of options in nmap so hopefully you're going to show some of that yeah for sure so i think the two biggest ones are i should say maybe biggest is the wrong word but uh two of the ones that you're definitely going to be learning and using have to do with tcp connections all right and you're going to find that there's two major ones if we come here to scan techniques you can see the first two here ss and st so this is tcp syn and connect now those are different there's a difference between tcp syn scan and connect scan and that's what we're going to really focus on today maybe in other videos we'll get into finn christmas scan and some of these other ones even udp scan but for today we're really going to focus on those first two so does that sound like a good time to you yeah i mean it'd be good to know the difference so yeah hopefully you're going to like show us farther packets absolutely so let's do this first i'm just going to say nmap and here's the way to remember it if it's a scan then use dash s lower s there's your small s and then the next letter that you use that's going to tell you the type of scan that you're going to do is it an arp scan well that's arp oops there we go bottom s that would be an arp scan how about a udp scan how about a a connect scan is t all right so a lot of times you can just use the the name of the scan to figure out the type of scan it is a thin scan um um um now there's different reasons why you would use each one and we'll build on that but just to get this right out the gate let's have everybody if you don't have nmap then go get it and follow along with me here you can just do nmap and you can just do let's just do a sin scan and i'm going to come over here i'm just going to start this up here let's start up this capture you can see a lot of our traffic going on here in the background what i'm gonna do is just just launch it okay let's just grab a device and let's just see what we do what i am going to do though i'm just going to do dash f there's a reason for that that's just a it's a fast scan it's only going to test the top 100 ports the number of ports that are available again another test question that you might find there's 65 535 ports that tcp can possibly have opened right so we don't want to have to just destroy a device as we're trying to scan it let's just just be a little bit more simple with it and we're just oh look at that sorry forgot about my root privileges got to come back i'm just going to do sudo because it does a lot of scans require to administrative privileges on the system so it's a lot of times you're going to have to do sudo so there we go and let me just run this one second password are you running this on your mac or unlimited i'm running this on my mac right now the nice thing is that the um the the commands are going to be all the same right so if you're on cali uh and really even on windows i mean you're going to find except for the suitey part you just gonna have to run your terminal as administrator okay so if you notice here on my capture over here and i'm just gonna set a filter if you didn't know you can set a filter while you have a capture running and that'll filter on just the traffic going to this device all right so i've got a device out here i'm just going to stop my capture i've got a device out here and i have tcp 53 is open there's one open port and then the other one is 1900 using the sin scan okay cool well let's go ahead and take a look at just on this live capture i'm going to show you this live david and then i'm going to open up another capture that has a few more interesting ports and we're actually going to be able to share that with everybody you can go down to the description down below and you can download the stealth scan pcap and you'll be able to follow right along with me so we'll get to that in just a moment but what i want to do is i just want to filter so let's just do okay 4.1 was our device and let's just do and tcp port equals equals 53. let's see what we get all right so here we can see that here's our client it established a connection or it sent out that tcp send to 4.1 that was our target and we're sending this to tcp port 53. well seven milliseconds later we get a syn ack back but notice what happens right after that our client says nah let's reset this is known as a half open scan the reason is because we only have half of the connection open a tcp connection is not open until you have sent a sin and you have received an act for that sin so as a client i got my act so i sent my sin and i got the ack for that sin but the server sent his sin i never sent no ack i just went nah reset so that's why it's called half open now in nmap that type of scan is called a stealth scan right so ss ss ss okay so so that's uh any port that is open and available is going to respond with that synack if it's a port that is not open let's go ahead and try port 80. this is what we're gonna see i send out my sin and i got a reset ack back so so so this one's closed the server has reset it because we it doesn't have that port open yeah correct when you hit a port that is closed sorry talk to the hand reset yeah all right so that's how wireshark knows that the ports are open sorry not wireshark that's how nmap knows that the ports are open because it's getting an act correct when i send a sin and i get a synac back that port is open simply let's just call that the stealth scan now let's think about this though why would this be called a stealth scan well basically back in the day it was thought well okay if if i send this sin and then it gets a syn ack and i reset it right away well maybe that device that i'm trying to enumerate i'm trying to attack maybe it won't log it where if i do a full tcp connect scan the potential is there that it'll go oh there was a connection attempt and it was reset really anymore most systems today even on the end map if you go out to the nmap website they even tell you they're like yeah stealth might not be the right word for it anymore because a lot of ids systems will find this anyway right so it's not like one is really clandestine and secret and the full connect scan is to be just out in the open if you're a numerator network if you're pen testing likely you're going to be found if you just launch this thing on a network so uh should we contrast the kinect scan yeah i was going to ask you know how's that different to a standards like connect stuff scan three shall we let's do it uh i'm just going to start up another capture and then what i'll do is i'll flip over to the other ones that we're going to share with everybody so everybody can be on the same packet page all right so let's do this i'm gonna go ahead and start my little capture got it going now let's come over here i'm just gonna do studio again but this time i'm gonna do st st st that's all i changed now let's see how that changes things all right so we have those same two ports open and i'm going to come over here let's just do an and tcp port equals equals 53 so let's take a look at this connection now what's different here if i i have a sin sin sin and i got a synack but this time the client or the tool acts back this is a full connection right after that only a whopping 18 microseconds later we send us a reset so basically hey david you there yep i'm here great bye that's a full connect scan now there are some other differences here that i'd like to point out that if you are looking at traffic on your network there's some differences between these two types of scans that you if you see them in wireshark you'll be able to quickly tell the difference more than just the half open and the full handshake there's also some some things that nmap is doing or not doing with these scans that i'd like to point out too let's go and flip over to the the other uh trace file all right so in this pcap which i'm going to share with everybody you can hit that link in the description down below um what i did is i went ahead and scanned a much more open device a device that had a whole lot more ports open so in this scan what we're going to do is we're going to take a look at just that's that sin scan but but but how certain things would jump out to us if we were looking at normal network traffic this is where it turns into the real world david if we're a sock analyst blue team if we're looking at pcaps from our environment how can i know if my stuff's getting scanned and that's what my clients come to me for they'll send me here's a terabyte hard drive full of stuff here's a bunch of captures like what's going on and where are we getting intact okay so let's go ahead and take a look from a scan perspective anyway let's just pick a port here so i'm just going to do tcp poor equals equals 80.
all right so right out the gate we can see that this was a scan going to port 80 among others so if everyone put that port scan there so here we have syn synack and then we have a reset there's our stealth scan but there's a few other things that are up that we can take a look at that look a little bit interesting in this type of scan so i'm just going to go to that first sin now here's the thing when we send a sin scan the the stealth one nmap is actually generating that scan it's actually coming from the tool itself so nmap is generating that sin putting in things like for example oh let's just pick out some stuff window the window is 10 24. if everybody's seen some of our tcp deep dive stuff that we've done david you you know that i'm advertising that i only have enough room in my receive buffer for 1024 bytes that's teeny okay so that's something that might catch my attention something else if i look at that sin if i come down here to options the only tcp option that that the nmap stealth scan is offering to the other side is an mss in the real world when you're looking at true tcp connections true sins that are happening that's not the case you're going to have a lot of tcp options you're going to have things you're going to see stuff like time stamps and you're gonna see window size and selective acknowledgement sack you're not gonna just see only one tcp option typically so in other words what you're saying is you know this is dodgy traffic for lack of a bit of word because the window size is really small and and and they're not enough options oh that would flag my attention in a heartbeat absolutely how would you find that in like a terabyte of data how do you find the stuff chris because like needle and haystack type stuff glad you asked david why don't we come down to window and let's actually talk about that for a moment how would i set a wireshark filter that will directly find this so first of all finding a packet that i would be interested in finding later is a is a great way to do it what is it that makes this packet unique well first of all i got a window right so let me go ahead and right click that and i'm going to come up here to prepare as filter and i'm going to go to selected okay so tcp dot window underscore size underscore value equals equals 10 24. that's a mouthful do i ever want to have to type that out no of course not that's why i can find a packet with that field i can borrow from down here on the bottom left tcp.windows size value all that and i can send that upstairs or what i could do is i could just take this is another kind of cool thing about wireshark you see i'm dragging this right now i can also drag and drop that filter super cool in fact another thing that would be weird about this i only have so many options there's not a whole lot here there's only one option so something else that might catch my attention there's a couple ways that we could filter on this let's come up to header length and i'm just going to right click prepares filter and i'm going to say and selected now let's see what we just did i said show any packet that has 1024 as the window size and and and also the tcp header length is 24. all right what does that mean well basically the tcp header without any options without anything else going on is 20 bytes you've got your source port destination ports sequence numbers acknowledgement numbers flags window all that stuff right up to urgent pointer that's the last part of the 20 bytes after that if i have options there's some extra stuff if this isn't the beginning of a handshake which by the way let's not forget that we need this to be a sin right so let's go ahead and right click flags as well and i'm just going to say prepare as filter and selected so look at we're building this filter out out out if this is a sin which is flags what i'm doing is instead of of of just focusing on that individual bit of a sin i'm saying take that whole flags field and the only bit that will be set is sin if i say sin if i do this another way if i say tcp dot flags sin equals equals one that's gonna get sins and synax i only want the sins let's go ahead and back up so i'm just saying flags as a whole here's the hexadecimal value and if you look sideways down here that's for the the hexadecimal people out there i've got zero zero zero zero one zero that's a two that's why it's zero zero two right so i just want that syn location to be one that's why my flags are zero zero two so let's see what we did with this filter this is only syns this is sins that are advertising a tcp window size of 1024 and that header length is only going to be 24 bytes now let's talk about that for another moment the header length again tcp is going to have a 20 byte header and at the beginning if there's a lot of different options that header length is going to be much larger it's going to be another 20 bytes or so so this would catch a stealth scan is it always 24 on nmap or is it like can you change that or is that just the default yeah for the stealth scan tell you what why don't we test this against a couple other packets let's actually apply this thing all right so i got a thousand packets and i know for a fact that i sent a thousand when i did this scan i did it with the thousand most common ports right there i'm able to see um that it caught everything and you just did like a stealth scan like we did a few minutes ago with no you didn't specify anything else so that was just the default values correct if i want to i can come over here and this is probably a a good way to actually show it so we learn it better um if i do dash p that's for port and right after that that's where we can specify do we want specific ports do we want a range of ports if i want to be specific i can say one to one thousand or let's just say um if if we don't leave this then what it's going to do is it's going to try the top 1000 it's gonna say these are the most common ports if i don't want a thousand if i want to run a little faster that's that dash f it's just gonna do the top 100.
yeah what's interesting is that it's using like a window size of 1024 and the tcp header is 24 so that's a just looking for 24 byte header is an easy way to see if someone's scanning your network unless they've made specific changes to try and hide what they're doing exactly that's the and that's the thing you know when we're talking about cyber security it's hard to make absolutes all an attacker would need to do is change this to 25 bytes how did you discover this is it just you're looking through data and then suddenly you saw while this just looks weird yeah that's exactly what i did let's go ahead and run that full scan again and what i'd like to do is show you how that would change when i'm looking at a full scan let's go ahead and check that out all right so i'm going to start my start my capture and let's just run this guy only this time we're going to do the st and i'm going to show you because remember that was for the stealth so what i started to do is i was just looking at these scans i started to realize oh and we already we already caught that that scan let me stop okay so let's see what's different let's see if everybody can pick this out full connect so first of all what's our header length right that's different and sin is the same but if i come down to my window i've got a complete 65535 window so on the full connect scan look at all the options i have yeah very different sac time stamps window scale and that's more realistic for proper traffic in the network exactly here's the reason why these are different now the audience might be thinking great okay so the stealth scan looks weird but the connect scan doesn't and that's because nmap doesn't generate this on its own what it does is it issues a connect call down to the operating system kernel stack and it says hey you tcp you generate this connection i'm not going to do it as a as a tool i want the actual interesting operating system to do it that's why this syn looks so much different because the the true os stack is the one that actually generated this and that's why it looks much more real a real window a useful tcp window so instead of saying hey david do you want to connect you can only send me a thousand bytes now i'm saying hey david do you want to connect i'm going to start out with 65 535 as a window by the way you're going to be able to multiply that bad boy by 64. so we're going to have a big cool bucket of data to work with right that's that's why that caught my attention when i was when i was looking at those stealth scans because this was so low i mean in some ways the stealth scan is less stealthy compared to this isn't it to me yeah i would catch it way faster than i would this for sure yeah is there anything here though that looks weird was it just because you see how would you catch this i would come to this part of uh of wireshark and this is called tcp conversation completeness now what on earth is conversation completeness well glad you asked basically what this does is it assigns values to different aspects of the tcp conversation so here's a standard conversation so basically what what conversation completeness does in wireshark uh this is uh basically it's it's a cool little feature it's come out just in the in the recent year really so basically a full tcp conversation that is normal and healthy it has has a beginning so a handshake okay and the first packet of a tcp handshake everybody is son son son good job all right yes you got a gold star thanks all right i can't believe i'm giving david palm ball gold stars anyway yeah i know nothing i know nothing about this okay all right no yeah no a lot of things okay how about the second packet everybody what's that one called come on snack good job okay here we go and [Music] whoops all right flushed out all right last packet is ack good job with our handshake okay we've already seen this in our um our nmap scan okay so there's a handshake so a connection began data gets exchanged okay acknowledged okay and then this connection gets shut down so so so this could happen any any way either through a fin or a reset okay so let's just say i'm just gonna shorten this out and just call this finn okay this is a complete conversation in tcp so-called all right now what wireshark does is it is it's assigned values to each one of these functions sin this gets a little deep and we're going to actually i'm going to link the wireshark page and the actual information or the the wiki where it talks about each of these values but we'll just go over it together so basically the syn gets a value of one synap gets a value of two the ack gets a value of three or a four this is binary okay a reset down here is 32 and the fins are 16 and data is eight all right do you see the the binary way we count so 1 2 4 8 16 32 so basically the way that tcp completeness is calculated all right so we have a tcp completeness of 39 all right so what this means is we saw a 1 we saw a two we saw a four that's seven and then we saw a reset we add all that up and when we say a handshake followed by a reset that is a tcp completeness of 39. yeah so no data sent yeah and that's why it says no data yeah so so so in this case that's weird isn't it oh boy boy boy yeah well i mean it means um okay does this happen in the real world yes it does does it happen often in the real world it shouldn't if i said tcp completeness and this is where i would do this day this is where i would look a little closer i would say prepare as filter and let's do and selected and i'm going to go ahead and remove my port off of this just to keep things more open oh you don't like the parentheses hang on on on all right so anything to and from this host tcp completeness is 39. this is going to show me when a connection was attempted synapt came back back went out and a reset happened right away right away i would be thinking if i saw one of these david maybe i wouldn't be super worried about it if i saw thousands of these hey hey hey someone's scouting absolutely so this is one way that we can filter for that tcp completeness is 39.
how did you discover this chris is it's just like you you just captured packets and then you looked at what was weird based on what you normally see here good question and yes um for me as far as the tptcp completeness thing goes what i thought was okay how can i capture a handshake that is immediately reset that's a tough filter to build right it's like if you do that by hand uh that's that's a long filter i gotta say yeah yeah i mean basically what i gotta do to to do the equivalent thing that conversation completeness is doing first i gotta set a filter for sin and then i gotta set a filter for uh an ack that has a sequence number of one and an act number of one and reset on the same port number it's just i'm confused even explaining what i just explained so that's part of the reason why the amazing people behind wireshark came up with conversation completeness is because we could do these kinds of tests where we could say hey how far did the tcp conversation get and this is really useful when it comes to port scans so another thing that i could do is i could set tcp completeness let's just say that i'm only looking for a sin and a reset well the sin is one the reset is 32 that could be 33. now i can use that feature of wireshark to get a better handle on how much of this scan activity has and it all goes back to if i see it once maybe i'm not super worried but if i see a pattern here or even if someone comes into nmap and slows the scan down which by the way we can do we can say hey be really stealthy only let out a few of these every couple minutes or seconds you'll still pick it up though you can still pick it up i mean i suppose the problem is if you do it over a long period of time you can have so much data so your capturing device has to have the capacity and chris we that gets us to another conversation our devices good enough today to capture huge amounts of data um or do you need specialist devices that's a great question um okay so here's your threshold and this is what i i do okay so i'm a packet consultant right i get paid to go in and find problems the last thing that i want is missing data because sometimes it comes down to that one packet that the analyzer missed and as soon as i see that i start to doubt my whole trace file okay so sometimes people will send me pcaps even from youtube they'll watch a video like this and they'll say hey i just need some help analyzing this certain problem which is great they can interact and send a pcap and right away if i see a previous packet not captured or if i see symptoms if it almost looks like false re-transmissions which it does take some time to learn how to identify that which you and i can continue to to chat about but the point is if i have uh i call it dirty data if i have my if my data is missing then i start to question my whole uh pcap right packets of the gold it's unreliable yeah it's unreliable so your question was how well does does the hardware keep up well i think everybody knows that a laptop wireshark with a laptop in normal data center world it can't keep up with super high data rates most network engineers know that if i ask them can can can can a copy of wireshark on a laptop keep up with 10 gig most people are going to say oh no okay then when does it start to fall yeah exactly my benchmarking shows that most of the machines that i have had and done my best to optimize i'm i'm not able to accurately capture time stamps and everything much over 100 megabits per second oh wow that's lovely yeah so when you go to site do you have a laptop or what do you do do do you have like specialist hardware what do you do so so yeah dave that's a good question and let me just show you what i use um just because it's backpackable if that's a word so this is actually the profit tap iota and and and literally what it is is it's a hard drive terabyte hard drive with a tap built in right so i can go network one way then device under test the other way or i can connect it between two switches on the up link but it comes in 10 gig as well and beyond depending on the money you want to spend and then it's got a management port all i have to do is i literally plug this guy in power it and then there's a little button here see a little guy that button yep yep yep capture and you just let it run for a while yep i let it cook let it grab all the traffic that it can and then what i can do is interface with it and i can i can pull pcaps back from it or i can also use some of the analytics that are built in so a lot of times i have this running even on my home network just to keep an eye on things and look for scan activity like we're talking about uh a lot of times i find my own but uh right part of what this does is it allows me to go to a period of time where i say hey client hey customer what time was it when this happened and i trained them to tell me oh it happened at 3 30 chris okay cool at least i can go to that time index and i can back up five minutes and go forward five minutes and i can extract that that component right so capture better capture smarter no one should be digging through a single p cap that is you know a terabyte i mean that's important to know i mean the the other question is okay so you got like a terabyte of data or whatever it is i mean that it's going back to that whole question how on earth do you find things so i mean you've given us some good tips but have you got any other like just from your experience how would you you know you got this crazy big file how do you even start to look at that stuff right so there's two ways one um you can do make use of the command line tools so from there when you install wireshark you also have command line tools like a t-shark edit cap merge cap these other tools you actually install like nine different tools something like that when you put wireshark on there those tools have a much better time with very large trace files so sometimes what i'll do if someone just literally gives me a hard drive full of data what i might do if it's a super large pcap what i'll do is i'll go in and break it up i can go in and say just break this up into smaller pieces better though let me show you the real thing that i do yeah this is legit real world something that i train my in my students in my classes i talk a lot about this and i know we've left off from nmap but this is a really important part of capturing this stuff in the real world what i do is i try to train them from the beginning to capture wisely and and and one way is by using let's just go ahead and use uh dump cap now a lot of times when you're in wireshark wireshark actually calls dump cap to do the actual capturing dump cap is a it's a tool that gets installed with wireshark if you don't already have it or another one that a lot of people might use on a server or an interface is tcp dump right so what i'll do is i'll say okay let's just go ahead and do this let's go to dump cap okay now if i go to dump cap dash d this is going to show me all the interfaces that i have access to for doing pcaps to capture from let's just grab the first one this is the wi-fi interface okay so let's just do dump cap dash i that's interface 1. so i'm saying hey dump cap go grab a bunch of packets off of this interface and if i just let this thing fly it's going to go great it's going to start to dump that traffic into a temp folder and it's just going to call it wireshark wi-fi and david this will go until i stop it this is going to be a big trace file especially if i leave it for a full day well i don't want that so instead what i'm going to do let me just back out of that guy what i'm going to do is give it some parameters so i'm going to say actually it's called if you look at the help menus you'll see this but if you go dash b you can do file size and in kilobytes i give it the amount of traffic so my file size let's just say okay so one kilobyte 10 kilobyte files 100 kilobytes meg that's a that's a 100 meg file so what i'm saying is dump this into a 100 megabyte file then dash b files and i can say let's just start with 10. okay so what that does the file switch is it says save 10 of them and then let's just say i'm just going to write this out and i know there's a lot of switches here but um you know it makes sense though and i mean this is a lot more efficient at grabbing grabbing traffic rather than the y shark gooby like you said the y-shock gui actually goes and uses this absolutely yeah i just started what's called a ring buffer now this this gets back to your question how do you find this in an ocean of packets how do you find the three that make the difference well first of all let's capture smarter so what i did is i started a capture i said i want 100 megabyte files and i want 10 of them so what this does is it starts it's called a ring buffer on my machine now i'm going to grab 10 files of 100 megabytes each and after the 10th one it's going to go overwrite the first one okay so it's continuous yep ring buffer so now i can play with these numbers i can go you know 100 megabytes is too small why don't we bump that up to 500 megabytes and i got some i got some horsepower to work with on my hard drive so why don't i go ahead and up this to 100 files and that'll give me more time point is david has a problem and he goes oh that weird thing happened that i'm troubleshooting or things look kind of funny uh it happened whatever we're troubleshooting and i say hey david what time was that and if you say he's like oh it was about 8 30.
cool i can go back to my ring buffer and i can look at my time date stamps that are right here and i can say okay this is look at us we're at 222 22. for me it's 10 56 a.m and i can just find the one that happened okay i'll change from 8 30 in your example to 11 a.m right so i can find the one that was capturing during that period of time and now i just went from a terabyte hard drive down to a 100 megabyte file yeah yeah so capture smart capture smart i try to make my pcaps as small as i can and also uh when we're looking at real data really be focused on um the when the what the wrong thing to do david is just to jump in and just hope that we get the right packets at the right time right we we need more information when did it happen what type of thing occurred and when we're doing cyber security open captures like this just it's a lot easier and more digestible when we're dealing with these smaller pcaps i remember the you know doing a lot of network network troubleshooting the hardest problems or the transient like weird things that just happen seemingly randomly it's so hard to try and troubleshoot that stuff so i like what you're doing you know like let it run you know if this is running continuously and just overriding itself then you know the i mean you correct me if i'm wrong but like the client's running this and then when something happens they can call you okay it's happened now or you know they can try and give you a time when it happened that day and then it gives you time to go back and look at actually what happened at that time rather than just trying to guess absolutely in fact let me show you one one other thing that i do i'll get this this capture going either locally on their system or somewhere on the network off of a span port a tap and what i'll do is i'll come in and imagine this is the user's machine okay this is i just have a test copy of windows running here's a vm um but what i'll do is i'll go into their system and i'll say okay let's go ahead and just do new let's just do a shortcut and i'm literally just going to type in my personal website okay packet pioneer dot com com com okay the reason is because it's unlikely that that person that end user that i'm trying to resolve is just going to go out to my personal website that's an unlikely thing to happen it used to be that we would do this with telnet back in you know when telnet was just a it was a part of a standard tool set that was still on windows people didn't use telnet because it's open and you can see the traffic that's actually happening you can grab passwords and things but now ssh people are doing that through putty and such what i just need to do is i just need to find something to trigger on right so so so what i do is i name this it happened okay i put that right over here on their desktop and then i say david go about your business do your work and then the next time it happens just go double click that and it'll go out and it'll go to my website what does that do well now i can stop my capture and this is a great little example here and let me gotta find where that file went i think it's just on my root there we go yeah okay so now i'm back in wireshark right so i've got a ton of stuff here i've got a hundred thousand packets how do i find the one where it happened it happened right so let me just do frame contains packet pioneer and i'm going to get all the packets that contain that name now i'm i am packet pioneer right so but i could see i actually tested this once and here we have it again so usually you're just going to see right here now i have a bookmark now i've got packet pioneer this is where this was actually generated and um we i can now look around that period of time in the pcapp and that's that allows me to set other filters for when it happened that's great so in other words you you find the timestamp just off that like marker and then you can say like five minutes after that all but ten minutes before it or whatever yep then i can come up here to view time display format time of day and now david said it happened at 1103 and he hit the it happened icon and now i have two bookmarks i have a period of time but just in case my time sync isn't correct on the the capture device now i can know also from the packets themselves he hit the it happened icon that's brilliant but i mean anything any lost like parting thoughts about tips that you've got from the real world i mean we started with nmap and we kind of like moved into like real world real world stuff but i think it's important because you like highlighting what's weird on networks um any other quick tips before we wrap it up yeah i think uh for me i don't get something until i see it at the packet level especially getting into cyber security um with with those that are if they're new to cyber security or if they're learning how these tools work wireshark is a great way to have that open and get that thing capturing while running these tests don't do that thing where you just become you're just generating a tool or you're using a tool and hitting a button and then watching some output that you don't understand wireshark is a tool that can help you to understand it and david hopefully you and i continue to do this kind of content where we can walk people through what to look for on the wire to the audience please put in the comments below stuff that you want chris and i to discuss i mean the good news chris is we we're planning to do a whole bunch of videos um and i think we want to cover as many protocols as we can i want to twist you to get back for more tcp deep dive stuff udp deep dive and some other protocols so there's a lot to cover chris really want to thank you you know for sharing your knowledge for free really appreciate it thanks for having me back david i always enjoy hanging out with you and of course everybody who watched too brilliant thanks chris [Music]
In this video, the presenter focuses on using Nmap as a powerful tool for penetration testing, guiding viewers through the process of network scanning. The tutorial covers essential steps such as host discovery, advanced port scanning, and vulnerability identification. The presenter emphasizes the importance of obtaining permission before scanning networks and demonstrates various scanning techniques, including ARP broadcasts for local networks and ICMP echo requests for external sites. Viewers learn how to interpret scan results, particularly the significance of open, closed, and filtered ports, and are introduced to basic Nmap commands to initiate scans effectively. Overall, the video serves as a practical guide for enhancing penetration testing skills using Nmap.
foreign [Music] welcome back to another Nielsen networking video let me ask you are you ready to take your penetration testing skills to the next level if so you are in luck because in this video I'm going to show you the power of nmap which in my opinion is the ultimate Network scanning tool that said this video will be focused specifically on nmap when used for penetration testing I give that disclaimer because we have other videos on the channel that offer a more generalized overview of nmap and its uses so that may be more your style if so check out the link above or just go browse for it in the channel now with that out of the way and to reiterate the focus of this video will be on nmap from a pen tester's perspective what does that mean that means I'm going to take you step by step through the process of using mmap for initial host Discovery all the way through vulnerability identification and exploitation to show you what I believe nmap is a must-have in any penetration testers toolkit so stick around as we explore the various functionalities of nmap and learn how to utilize them in your testing process we're going to go from host Discovery to Advanced Port scanning and service enumeration and we're going to cover it all plus I will show you how to use nmaps Advanced vulnerability testing features and how to take your results and use them with another tool to test any vulnerabilities that we do discover so let's get to it all right to get started here I'm going to go ahead and maximize my terminal I will be using Kali Linux for this video that said nmap is available for almost every major Linux distribution and even windows so that's that I will be using this from the perspective of a pen tester so remember that and we're going to be sticking specifically to to and Maps uses in pen testing I say that because we're not going to go out and do any open source intelligence gathering you know I already would have had permission from the Network's owner that I'm performing these on these are going to be performed in my own virtual Network so obviously I do have permission but in the real world you would have needed you know to get the permission to get everything ready to where you're at the point we are now on the network and we're going to perform this host Discovery so that said let's get started with that all right the first thing we need to do is verify the network we're on so we're going to type in route hit enter and you can see right here this is the network we're on uh and this is the default gateway and to verify that we're on that Network we can look at our IP address by doing an if config and verifying right here that that is the network we're on so we are on the 10.0.2.0 network good enough and we're going to start off using this scan and I'll explain what this is as soon as I'm done typing it and just an FYI all these commands you'll be shown today are case sensitive meaning if you do an nmap lowercase PR you're not going to get the results you want and you'll be mad at me so let's not do that so okay sensitive and we're going to type in our Network slash 24 you could also do a slash eight if you wanted to change the class of network you're scanning I'm going to leave it here because that's what I need for this uh the purpose of this video you could also write this this way if you wanted to but it's simple I think it's easier just to do a slash 24. and then what we're going to do is we're going to hit enter and we're going to let us do its thing and while it's doing that I'll explain what's happening what this does is it goes out and it sends out an ARP broadcast request to each IP address in that range so 1 through 254. so as you can see it went through and scanned 256 IP addresses and it found seven hosts that are up the reason we do it this way is because we're trying to limit the transmission to only necessary Transmissions we don't want to go out and do a full-blown you know TCP Discovery like we don't want to do that because that's like shooting of fireworks and going oh we're here so we're going to start off as low Pro as we can to get a to get the information of the hosts that are available we will then take this further obviously but we don't need to then broadcast to the whole entire subnet because we know these are the only hosts on the subnet so why do we need to send out a scan that scans 256 when there's only seven hosts so now we can narrow down our search hope that makes sense to you now that we have the IPS we need I'm going to go ahead and open up a file here and I'm just going to call it iplist.txt and I am going to add the IP addresses that we just discovered and here we are I'm going to go ahead and save it and get out of it now that we have that we are good to go we no longer need to do network discovery on this network but what if you needed to scan an external website or an external network you're going to need to use something besides Layer Two so for that we're going to use layer 3 scan and here's how we're going to do it we're going to first use sudo if I select select screen I'm going to do a dash PE SN and I'm going to scan a website that is actually hosted by nmap this is a free site they put up that they allow the general public to go and run and map scans against it so you can practice your techniques on this website pretty cool that they do that so we're going to go ahead and run this and I guess I should put in the actual command because uh uh uh that would end up work so we're gonna go ahead and do that and we're gonna go ahead and hit enter and our results came in really quick and it's looking like okay we the scan went through successfully we know there is a host there we know the IP is this and that is all we cared about we wanted to verify that there was a host there using layer 3 and we did and since we didn't use ARP you may be curious about what we used and we actually sent an icmp echo request out there and that came back and let us know that there was a device out there now if we would have done this against a bigger Network it would have taken a lot longer because ARP is really quick compared to these icmp Echo requests so just an FYI if you're going out there and you are doing this against a bigger Network and it's not returning as quickly as you would expect and that's why it's totally expected Behavior so that's that now let's say that didn't work the reason likely is going to be because the firewall is in your way and it's saying no no no I'm blocking those requests so you're like dang it what do I do now well now we're going to go and try layer four and how we would try layer 4 is as follows first thing we'll clean this up and then we're going to want to go and map Dash PA 80 for Port 80 and we're going to do again and we're gonna do scan meet.map.org once again and we're going to hit enter and we got what looks like the same results as the layer three and it it is the same results I mean it's not warning us about I'm using icmp uh that we need root but nevertheless we got the same we got the IP address and we got that it is up now it doesn't look a lot different to you but it is and what's happening is we're actually using layer 4. we sent acknowledgment packets to the host and as a result the lifeboats responded with a TCP rst reset packet indicating that we have received the packet and there is no open Communication channel that means the host is up so if this were a firewall this would have gone through and at least showed us that the host is up on this ipu range and that's what we wanted to accomplish so now that we know how to do that we're going to go back to what we discovered in our layer 2 scanning using ARP which is my internal network using my internal devices so let's get started on those I'm going to go ahead and clean this up and we'll get to it all right and real quick before we get to Port scanning we need to understand what we're going to be looking for and specifically we're going to be looking for the port State we want to see the results come back that the port is open this is good this means that it's accepting connections whether it's TCP UDP or sctp obviously we're going to be looking for the first two if it comes back as closed not good that means it's closed and other than verifying that there is a device at that IP address there's not much else we're going to be able to do at this point with nmap filtered this is a very vague response doesn't help us out that much I'm not going to waste time explaining it feel free to screenshot this or pause the video and check all these out with more detail if you want unfiltered this means it's accessible but it can't tell if it's open or closed not the most helpful but it does suggest that you go and scan maybe using a different technique maybe you use a layer four or Layer Two or lever three whatever you initiated with try a different method and see if you can get a little further open filtered similar but it's enabled and map was unable to determine if the port was even active so a little less useful than unfiltered last one closed filtered pretty much means it's closed so the real the ones we're really going to look for are open and unfiltered the other ones we're just going to kind of like not really worth the time so that said now we're going to move into the poor scanning all right we're going to start with the most basic of all and map scans and that is going to be and map and then the IP address of the device you want to scan hit enter and boom just like that your first scan is done now what did this do this scan scans the first thousand most commonly used TCP ports and then Returns the results so I scanned them against my my Cali Linux box that I'm on right now and they all return that they are closed that's good I didn't expect them to be open but that is how you could do it now let's say you wanted to do this to the entire network you could do that but instead of doing that you would do this but again remember what we did in the beginning we did host Discovery so we could stay low Pro under the radar we don't want to you know shoot up fireworks again we want to stay under the radar as long as possible so we're going to do we're going to go ahead and use our IP list until MF to use that so just to review what's in here those are the IPS we're going to scan and to tell Mapp to scan those I simply do this and then I give it the name of the list so it's going to be nmap Dash IL IP list and we hit enter and wait for the results all right and the results are in so let's take a look it's going to start up top it's going to go I believe it's going to start with the lowest IP and as a guitar go down that way so it started with my Kali Linux box which we already know has nothing very fun to look at going down the line here we have another machine on 2.7 that looks like it has a lot of stuff we'll look and do further keep continuing down here 2.9 has some stuff we'll look into 2.13 14 and 254 has at least Port 80.
so all the other devices look to have something we can investigate a little bit further so let's go ahead and move on to the next scan we could look into all right and this next scan is going to be useful if you are looking for a specific ports so let's say we were looking to see what devices had SSH open so what you would do is you would go and map you would do a dash p and then you would put in what port are we looking for let's say 22. so then we would put in dash IL to point to our IP list and we would put ipos.text hit enter and wait for the results and that came really quick so what it's telling us is it's closed here filtered here open here so 2.13 is open close closed closed and it looks like it's closed on all the other IP addresses but we do know now we could investigate SSH on this one so see that can be useful let's say you wanted to do the same thing but you wanted to do it for Port let's say 80. 80. 80.
see how many of them are running web servers you can see right away open open open right off the bat three and then we get closed and then we're open again that's unbelievable so right there Port 80 is almost open on all of them so you can see how you can do that and you could even combine it let's say you wanted to do 80 and you want to do let's just say 21. let's see and it would go through and you could combine them so you could continue to chain these along let's say you also wanted to know if 23 were open you have to wait a little bit longer the more you put the longer it's going to take to get the results obviously because it's doing more makes sense right so you go through here and look at this this one has ftp's open and HTTP is open let's see if any of them oh look at this guy right here all three are open so that would be a prime target so that said that is how you run with a specific or specific Port all right we're going to shift gears here a little bit and we're gonna go out and we're going to scan for filtered ports and I know you're thinking well why would we want filtered ports we want filtered ports because we're looking to see if the ports happen to be there and they're just being blocked by firewalls or other devices and by looking for these filter devices we'll know other ports we want to investigate further using different scanning techniques so to look for these filtered ports we're going to go ahead and do the following we're going to do and map as normal and we're going to do a dash s and an uppercase a and then I'm going to tell it to use my IP list again you could tell it to use your specific IP or a range all that good stuff and I'm just going to stick with this and we're going to go ahead and run it and it's going to warn you you need root so what you're going to need to do is either you know Su to root or use sudo oops you're not going to use Sue because or said sud's not going to work we need sudo so we're going to go ahead and hit enter and let it do its thing all right and the results are in let's take a quick look here uh we'll go from the bottom up this time so it's looking like 254 is not having anything right here look at this these are showing us unfiltered and remember unfiltered doesn't mean that it's open but it means it's accessible so that means we'd want to further investigate that and see if we could get in on Port 21 and 80. so let's continue up none here none here so it looks like everything else reported as either it was either showed open in another scan or it's closed so this would be the only server we'd want to further investigate on Port 21 and 80. okay let's try something else here all right I think it's about time we look at some UDP ports because we have completely overlooked those until now and believe it or not that happens more than you would believe but you're not going to let that happen because you're going to be thorough and to do this we're going to go with an end map like we do with all our commands and we're for uh we're gonna go sudo in map I should have said and we are then going to put in dash s and U for UDP and then we're going to go ahead and put in our IL for our IP list and we're going to let it run all right the results are in let's go ahead and take a look here it looks like this first server is showing us that it has some open slash filtered so that's not going to be super useful so we won't spend too much time looking at that this is showing that it has a closed UDP Port so that's not super helpful um I'm assuming TCP is open on Port 80.
that's why it's showing us that and then this has a combination of it looks like DNS right here is open so that's something we would look into and then it has some open filtered and just some more open so that's definitely something we'd want to look in on 2.13 and moving up the ladder here we have more and more open on the next machine up and it just kind of keeps going with more and more open all the way up so you can see scanning for UDP was definitely useful because if we didn't do this scan we would have been uh in the dark about some of these other ports that are open that we could have investigated so let's go ahead and check something else out all right for the next step we want to take this a little bit further now we've found some open ports both UDP and TCP but now we want to know exactly what services and version are running on those ports so to do this we need to switch it up a little bit we're going to need to go with that map again we're going to go suda just in case we need it and we are going to do a dash s and FV for version and then I'm going to do again my IP list you could do again the ranger the specific IP and I'm going to go with this oops I'll go ahead and hit enter and we'll wait for the results here after I put in my password all right and the results are in so let's take a look here first thing we'll look at is 2.254 which apparently is a Ubuntu server and when Newport 80 was open on it but we didn't know what was on it and apparently it's Apache and it's running this version of Apache so you can see how powerful this is now we could go out on Google and just look up vulnerabilities for Apache 2.4.52 on Linux going up the ladder could do the same thing for the next server but this one is also running an FTP version here vsftp 3.0.3 so again we could go out and see if there's any vulnerabilities for that version of that FTP and up here this thing has you could almost just blind throw something at it and hit a Target here I mean this is a lot of real estate to deal with here my SQL I mean SSH tell I mean my gosh there's a lot there so that's definitely one we would be uh targeting going up the ladder again we have another machine on 2.9 that looks like it has a few things looks like it's running um SMB and some other things here so that's another one we look into further and continuing up look at this this has a ton of them as well including is FTP you name it it also looks like it's running um SMB so the only one that looks good is the Kali Linux machine I'm on now so that is how you could look for services and versions running and that's going to be our kind of our bread and butter for what we're looking for but now let's say we wanted to know just to verify you know it says Ubuntu here but how can we take that a level further and for that we're going to use this next scan alright so following up with that service and version number we want to know the operating system and to do that we are going to do an nmap Dash oh pretty basic right and then you would just do you know you know by now what we're doing we're not doing that we're doing this just making sure you're paying attention go ahead and hit enter actually we need to pseudo this I caught myself that time and hit enter and go ahead and wait for the results and those results are in so let's mix it up and go from the top down this time started with my Kali Linux box and no surprise here it did not give it much information that's what I would hope for continuing down here we have 2.7 which if we continue all the way down to the bottom we can see that it identified it as a Windows 7 machine and that is correct it is running a Windows 7. continuing down 2.9 is running Windows XP and that is also correct continuing down we have 2.13 that is running Linux it doesn't tell us the exact release or distribution of Linux but it gives us close enough we know it's Linux 2.14 is also Linux it's saying unreliable and there are options we can do or switches we could put onto the command I just ran to get these results that we can look into later but for now we don't need that we don't care so much we just want to know that it's Linux and continue and done down down our last box is also Linux so that's three Linux boxes and two windows machines so pretty good there well four because Kali Linux but three that were open um and returned results so that's good now let's move on to another little Technique we can do to either speed up or slow down our scanning and that technique is pretty easy I'm going to do it using the most basic event map scans which is and map it I'm going to do scan me.mmap.org so we'll run it again mmap.org and here's where we're going to put in the switch that's going to control the speed it's going to be a dash T and the dash T has a range from zero to five zero being slow what they call paranoid five being the fastest what they call insane three is the default three is the same as running the scan like this so for to test this let's go ahead and put a t here and let's run it out of five and we'll see what it says all right and the scan finished and it took 14.15 seconds so let's go ahead and do that same scan let's try running it at a T3 and we'll let it run all right and here we go so this one took almost double the interesting thing is this actually picked up an extra port that this one didn't and it's supposed to now work that way the faster you go the less accurate your scans are supposed to be that's what that was going to be my next point of why you'd even want to do this and that goes into the quicker it's going the less accurate it's going to be the slower it goes the more likely you're going to be able to go under the radar you know under the intrusion detection systems and things like that but be warned when I say slower I mean considerably slower I once tried to do this and I used zero and it was at like 45 minutes for five hosts and I hadn't had a single result and I just canceled it because it was too long so just FYI this is a way to do it but I would if you're gonna do it it should be for single host do not run this against an entire network or you're going to be there all day long using a zero Now using a five it wouldn't take as long but you're going to set off every Alert in the system so FYI so with that said let's go ahead and move on all right and continuing with the theme of trying to stay under the radar you know we want to avoid detection we're going to run what's known as a decoy scan and this is pretty cool so we're going to do is first you need to be root so we're going to go sudo or you could you know ask you to root whatever floats your boat then you're going to put in the IP or the um subnet of the devices you want to scan I'm just going to go to against Windows 7 here because we haven't picked on Windows 7 enough yet and then what you would do is you would do a Dash D and then you would do R and D colon and the number of decoy IPS you want to do I'll go with 20. you know let's go crazy so we're going to go ahead and run this but before we do that why don't we do this why don't we open uh Wireshark and you can see what's going on as it's going on so let's put these two side by side if we can pull this off should be able to all right let's go ahead and open eth0 and let's go ahead and run it and see what we get and boom as you can see the outgoing 2.7 is getting flooded by all these Source IPS so now while we're not completely off the log we are now in the log with 20 other IP addresses which will make it a lot harder harder to pick out one specific IP address pretty cool stuff right now over on our end we got the results we wanted and nothing we don't notice much difference this is more going to be for the destination side you're not going to really get any different well you're not going to get any different results at all but that's good because we weren't trying to get different results we just didn't want them to know where we were so mission accomplished right right on so let's go ahead and move on to another way to try to avoid detection all right the next technique I'm going to show you is how to randomize the order that your scan is performed by default if you were to pick a subnet it's going to start sequentially and work its way through and that can be pretty easy for you know intrusion detection systems and other defensive controls to pick up because you're going from one host to another this is going to go a to d to C to F and all over instead of going a b c d e so how to do that pretty simple we're going to go ahead and map and we're just going to go IL and we will go ahead and put an IP list dot text and at the end all you need to do is add randomize hosts and I believe we need to be root for this so we're going to throw a pseudo in there and we'll go ahead and hit enter and I will wait and see what happens all right and the scan completed let's go up and take a look this should go from two to seven to nine and as you can see it went from two or I'm from 4 excuse me to 9 to 13 to 7 and down to 14 and ended up with 254. so as you can see it did exactly what we asked it to so that's another technique to keep you off the radar all right in the second to last technique I want to show you to try to avoid detection is going to be how to smooth your Mac address and this is pretty straightforward we're just going to go pseudo and map and enter the IP address of the device you want to scan I'll go ahead and run this against our Cali Linux box here just to see what we got and then we're going to do is we're going to go spoof Mac and then you'll enter a zero to randomize the number if you wanted to actually fill it in you could go ahead and do that as well but I don't really see what the point of that would be so I'm going to go ahead and run this and see what we got and as you can see here's what it went with that's the Mac get picked for us scanned and we knew this box had no open ports because it's pretty well-hearted so what we want to do now is check to verify that it didn't really use a real Mac and here's our real Mac so no it did not so pretty straightforward technique nevertheless it can help keep you off um some detections if they were you know actually blocking Mac addresses instead of IP addresses because unfortunately there's no easy way to spoof your IP address short of using something called ipchange which uses a proxy and it's out of the scope of this video maybe I'll do another video at some time on that but that's a little more technical but nevertheless this is one more technique moving on to the last technique for avoiding detection for the last technique I want to show you on trying to avoid detection we're going to do something known as packet fragmentation and what is that that is going to be where we're going to take our packets and fragment them into smaller packets and the reason we do this is we're hoping the smaller packets will be able to avoid detection they'll be able to you know bypass those content filters firewalls intrusion detection systems and things of that nature so let's go ahead and do it and to do it it's very basic we're going to go nmap our pseudo and map always and then we're going to put in the IP address we'll go against nine because we picked almost every other server we have here and then what we're going to do is we're just going to put a dash up at the end that's it but before we do it let's go ahead and open up Wireshark so we can take a look at what it looks like going out out out so we'll do that go ahead go ahead and do that and and and let's go ahead and hit enter done go over here and this looks normal right but check it out out out scroll by so fast see this this is a fragment that was broken up and all these all the way up here and you can see see see it goes all the way up there so in my personal experience I would say this helps maybe one out of every five times this isn't like the oh this is going to work every time it's gonna get by the detection systems it's not all that great but you know what it is another tool and it's definitely worth worth keeping in Your Arsenal so that said let's move on to testing these services for vulnerabilities all right at this point If This Were A penetration test let's see what we've done we've discovered the devices on the network we have singled out the devices we want we have singled out what ports were open on them what services were running on those ports what versions of services we're running and what operated system so we have compiled all this data now at this point we're ready to go to the next level and what we're going to do at that stage is we're going to now test to see if there's any known vulnerabilities to those specific service versions running on each of those hosts and to do that we're going to leverage and map scripting and to get scripts you can either go out to their website right here I'll show you you know you're just going to go to mmap.org I'll put the whole URL in the description and here you're going to get a listing of scripts really long listing of scripts of all different kinds of built-in scripts that you can either download by clicking on them and hitting download some of these are actually already pre-built in and some of these actually come with different distributions of Linux but if for whatever reason it's not you could always go here and download them so that will work for everyone windows or Linux you name it you can go here and get them for those of you on Kali Linux you're in luck because they actually come pre-installed or pre-loaded I should say and to get there you would just go to this location and actually one more folder in here so if we do this you can see well actually it's just maybe this will give you a little bit better view but you can see they're all here for the most part again if one wasn't here you could go up and get it from the website so that's where we're going to get the scripts now let's move forward and show you some of the most popular ones to look for vulnerabilities all right and before we get to our first script I'm just going to ask out of the uh kindness of your heart if you could smash that like button if you are enjoying this video or learning anything I would greatly appreciate it if you want to one-up me on that go ahead and subscribe for future content we're trying to get a lot of content out there and believe it or not about 80 percent of our viewers don't subscribe so they never get the notifications again and maybe they never come back to see all the great content I believe I'm putting out there so that out of the way the first script we're gonna run is one that's going to go out and look for SMB vulnerabilities on our two windows machines which we have an XP and Windows 7.
so enough Chit Chat let's get to it we're going to go ahead and run this command out here we're gonna need to change it up a little bit to add what we want to scan so I am of course going to put in il IP list dot text this little Overkill this is going to scan all devices but you know what I don't care if it runs against the Linux machines we'll at least get the windows devices while it's scanning that so that's cool you would probably want to be specific in each device but for this video I'm just going to run this list because be honest it's been a long video so we're going to let it run and we're going to see what we get so let's scroll up here let's go all the way up to the top and we can see we got some hits there so obviously the Linux box nothing this is our Windows 7 machine so scrolling down here here we go right here is the vulnerability we were looking for and it's showing it is vulnerable so that is one we would then and maybe we'll do it at the end of the video we would then you know go and take it a step further and maybe open Metasploit and see if we could actually exploit that vulnerability scrolling down same thing on our Windows XP machine so we found those two vulnerabilities let's go ahead and check a different vulnerability all right next we're going to go ahead and scan for a known vulnerability with vsftp which we saw at the beginning remember how I said I think there's a vulnerability out there let's go ahead and find out if there actually is so again we're going to go ahead and paste this in we're going to change this and we're going to add our IP list and we're gonna go ahead and run it see what we get all right and here we are it's done and we can see right here we have one and of course it's lucky number 13. surprise surprise I thought we'd actually get two hits because I remember we saw this twice but apparently that other version is not um vulnerable but this version is so 13 is vulnerable to a uh back door here so that's that let's do one more and for the last script I want to show you we're going to use a script known as Von and what Vol does is it actually scans for All the known vulnerabilities in that category so instead of individually scanning for you know FTP or SMB or SSH known vulnerabilities it's going to scan for all of them at once so this would probably be the easiest if you wanted to scan a broad range of vulnerabilities and not a specific one and to do that it's really easy we're going to go nmap and we're going to do IL for our list and then you're just going to do a script and you're going to type in Vol sure vulnerability hit enter and give it a little while and we'll check the results all right and the results are in and it took a little under six minutes so let's scroll up and look at all what we got and starting at the top with our Windows 7 machine scrolling down you can see it started at the typical ports work down and it looks like the first thing it discovered is a vulnerability with poodle this is going to allow for a man in the middle attack I believe yeah so I found that scrolling down it does tell you that there was no cross-site scripting vulnerabilities found or cross-site request forgeries so you know this this doesn't have to just be used by pen testers this can also be run by net admins system administrators to go out there and see what it what is on your network why why wait for a pen tester to come in and tell you you could do this on your own and if you're doing it from that angle you can also check out these websites that will give you remediation techniques to use if you wanted to go out and do it that way so just remember this isn't just for pen testing the focus of this video is on pen testing but this can be used in multiple different ways so continue on on down uh it looks like it's also vulnerable to this vulnerability right here remote desktop protocol and continuing down lots of vulnerabilities so let's continue down here to our next machine here this is going to be the SMB vulnerability and wow okay so lots on that machine that is not a pretty machine and then we're going down here and I believe this is our Windows XP machine and and and this one was vulnerable again right here another SMB vulnerability and I'm just going to kind of continue on down here because we'll be here all day again this is that FTP vulnerability we saw this is a new another vulnerability with the uh SSL version they're running and continue on down there's lots of vulnerabilities in these machines and a lot of that is by Design obviously for this video I did put machines out there that were going to give us some some results otherwise how would we know what to look for so as you can see we can continue on all day long there's a lot of vulnerabilities to go through here so that all said I think that kind of wraps up the um the video from nmap perspective now let's say we wanted to take this one step further right let's say we wanted to actually see if now we could exploit one of the vulnerabilities we discovered so as a little bit of a bonus here I'm going to show you how we could see if that's possible using Metasploit so let's get to that all right and if you don't know what Metasploit is go ahead and check out the two videos I have in my Kali Linux security tool Series where I cover the first half of Metasploit which is the initial exploitation phase how to use it how to use all the modules and every all the great stuff inside it and then I cover the post exploitation how to set up persistence and things like that so anyways I'm going to open up one of the many interfaces of MF MF of metasploy and this interface I'm going to use is called msf console again really long video here so forgive me if I sound like I'm rambling here so we're going to do msf console we're going to go ahead and let it open up after I give it my password and it shouldn't take too long and then we're gonna get a bunch of text and here we are so at this point what we're going to do we are going to search for vulnerability and I thought I had it copied but apparently not so I'm going to copy it right now we're going to search for vulnerability with that FTP that we saw earlier on that Linux machine so we do is we search for vs FTP here we go we got a hit it says it's an excellent that means it should work hopefully and what I'm going to do is I'm going to hit use zero and then I'm going to set my R host to to to the IP of that machine which is 13. and at this point all we have to do is hit run run run and we're going to have to wait here for a second and it looked like it denied us apparently it didn't want to be nice there so we're going to do it again because we are persistent actually we'll do persistence later in another video actually check out that second video on uh post exploitation for that so at this point it looks like it actually worked I don't know why we had a little hiccup on their first run but we're good on the second one and I can prove that by going who am I I'm root okay well you knew I was root probably uh logging in here because I did sudo right but watch this I'm rude on this server to prove that I can go here and there I am that didn't quite work did it and there you go you can see I am not on my Kali Linux box I am on the metasploitable server which is ironic because we're using Metasploit to hack them at a splatable box so anyways you can see that was pretty easy to accomplish right so we're about to close it up but before we do I mentioned some things you could do for you know defensive measures as a system administrator but just to give you some key advice here and these are things as a pen tester you would want to offer in that report that you're going to now do that you've now proven that you could exploit those vulnerabilities some things you're going to suggest they need to keep their servers patched and that's not just the server itself they need to keep the applications and services running on those servers patch they need to get rid of servers that are past the end of life Windows 7 Windows XP why are they on here they need to check their logs they need to have good backups they need to shut off unneeded ports and services they need to harden those machines and they need to be aware of what is out there you know sign up for security feeds all that great stuff so I hope you enjoyed this video if you did did again I would greatly appreciate a like subscribe to the channel for future content and that's all I have I'm I'm done that's all I can handle now so you have a great rest of your day talk to you later
Nmap, short for Network Mapper, is a free tool created by Gordon Lyon that helps network administrators scan IP addresses and ports to identify devices, open ports, and vulnerabilities within a network. It is favored by hackers for its simplicity and powerful features, including the ability to perform both basic and advanced scans, such as ping scans and version detection, which can help identify potential security weaknesses. Users can execute various commands to scan single hosts or multiple devices simultaneously, and the tool allows for exporting scan results in different formats for further analysis. Additionally, Nmap includes a scripting engine for automation and a graphical interface called Zenmap, making it accessible for both beginners and experienced users. Overall, Nmap is a versatile tool suitable for anyone looking to manage or secure their network effectively.
in map short for network mapper is a free tool created by Gordon lion known as Fodor to scan IP addresses and ports in a network it helps Network administrators identify devices find open ports and services and spot vulnerabilities its popularity has even landed at roles in movies like The Matrix and TV shows like Mr Robot hackers prefer inmap over other scanning tools for several reasons in map simplifies Network mapping without requiring complex commands or setups it supports both Bas of commands like checking if a host is up and advanced scripting through its inmap scripting engine it swiftly identifies all devices on a network from servers to mobile devices across single or multiple networks let's look at some inmap commands if you're using Linux it's already installed but if you don't have in map installed you can get it from here let's start off with the basics Network mapping starts with scanning for active devices on a network using two types of scans first we have the ping scan this scan detects devices that are up and running on a specific subnet the DSP option instructs nmap to perform a ping scan which sends icmp Echo requests to each IP address in the specified range and listens for responses next we have single host scan which examines a single host for 1,000 well-known ports commonly used by popular services like SQL sntp and Apache this command scans a single host four well-known ports commonly used by various services nmap will probe the target host to determine which services are running and accessible on the specified ports scam.in map.org is a public service provided by the inmap project for testing and demonstration purposes it's configured to allow scanning and doesn't violate any terms of service these scans are essential initial steps in network mapping stealth scanning sends s and packets to check if ports are open without completing the full handshake making it hard for targets to detect use mm- SS for this it's slower and less aggressive so expect delays in response es finding application versions is a crucial part in penetration testing doing a version scan with inmap in- SV helps find vulnerabilities and services by matching their versions with entries in the common vulnerabilities and exploits database you can then exploit these vulnerabilities using tools like Metasploit keep in mind that version scans aren't always perfect but they're a step towards breaching ass system with OS scanning mmap goes beyond identifying services and their versions it employs PCP IP fingerprinting to uncover information about the underlying operating system and even tries to determine system uptime you can enhance OS scanning with additional Flags like OS scan limit to narrow down the search inmap provides confidence percentages for each OS guess while OS detection isn't foolproof it significantly AIDS penetration testers in narrowing down their targets aggressive scanning in inmap is a powerful mode that includes OS detection version detection script scanning and Trace rout you can activate it using the Das a argument while aggressive scans offer more detailed information than regular ones they also send out more probes making them easier to detect during security audits inmap has the capability of scanning multiple hosts simultaneously this feature comes in real handy when you are managing vast Network infrastructure you can scan multiple hosts through numerous approaches one approach involves listing all the device addresses in one line and inmap will check them all together like this you can also use an asterisk to check a whole group of devices at once if you want to check just a few specific devices you can separate their addresses with commas like this or you can check a range of addresses by using a hyphen Port scanning is one of the most fundamental features of nmap you can scan for ports in several ways using the dasp parameter to scan for a single port if you want to scan for specific types of ports like TCP ports you can specify that for example you can scan for information about a particular type of connection for example for a TCP connection to scan a range of ports just separate the first and last port numbers with a hyphen you can also use the double-top ports flag to scan for the most common ports like the top 10 on a Target scanning a bunch of IP addresses is easy with inmap if you have a long list of ips in a file you can scan them all by using a command like this this command reads the list of IP addresses from the file input ip. txt and scans each one you can also add more options in Flags to customize your scan as needed when you're doing penetration testing it can take a while sometimes even days or weeks to make things easier and avoid repeating work you can export the results of your inmap scans here's some ways to do it running inmap Dash V provides verbose output giving detailed information about each step of the scan process this can be particularly helpful for closely monitoring in maps actions especially when scanning a client's Network as an outsider you can export inmap scan results to a text file using the- oen option like this this command saves the scan results to a file named output.txt in a format slightly different from the original command line output But it includes all the important information from the scan and map scans can also be saved in XML format which is preferred by many penetration testing tools this format makes it easy to parse and import scan results you can do this by running the command map-- Ox output. XML this command saves the scan results to a file named output. XML in XML format suitable for further analysis and integration with other tools you can export scan results in multiple formats simultaneously using the D OA command for example this command will generate three files with the prefix output output.
XML output. inmap and output. GN map each containing the scan results in different formats inmap offers a built-in help command to display all available flags and auctions this is particularly useful due to the extensive range of command line arguments in map supports you can access the help by running in map DH this command will provide a comprehensive list of flags and options helping you better understand and utilize nmap's capabilities the inmap scripting engine NSE is a powerful tool that allows you to automate various networking tasks by writing scripts you can use pre-existing scripts provided with inmap or create your own to suit your specific needs NSE scripts can be written or modified using the Lua programming language offering flexibility and customization options additionally NSE includes a tack script designed for Network penetration testing and exploiting vulnerabilities in networking protocols zenmap is a graphical interface that makes using n map easier it's free and open source offering visual representations of network maps and allowing you to save and search your scans this tool is especially helpful for beginners who may find the command line interface of nmap daunting with inmap you can explore in map's capabilities without needing to deal with complex commands so you might be wondering is inmap for me the answer is yes whether you're a hacker or simply want to take control of your home network inmap can be a valuable tool thanks for watching like And subscribe and stay tuned for more videos oh
The video discusses various scanning tools and techniques used for network scanning, such as Angry IP Scanner and Nmap. It highlights the importance of understanding IP addresses, port numbers, and different scanning methods like TCP scans and Christmas scans. The presenter emphasizes that using these tools for illegal activities is prohibited and provides a disclaimer about the legal implications. Additionally, the video includes a demonstration of how to install and use these tools on different operating systems, specifically Linux. Viewers are encouraged to use these powerful scanning tools responsibly and within legal boundaries.
powerful scanning tool that is illegal welcome to series episode scanning scan including welcome to [Music] C scanning for example for [Music] IP address found IP address or host name port number service name [Music] disclaimer that is illegal for example welln for example http 4om so Maxim experimentals phalic for example us Universal synchronous Syed auth so angry ip scanner rules IC andp protocol IC internet control messaging protocol resolution IP address to add a so handled FL finish res urgent pting SN scan half open scan nextled Christmas scan Christmas scan for data to reset that buffer Reser flag next fin scan so Google download Angry ip scanner downloads number operating system Linux Linux downlo so reading database and installing so inst application IP local system I [Music] if202 2p range okay host name Linux already host scanning complet so prence display Al host value so scanning so scanning on the combined plus TCP okay so scanning posss first level [Music] Dem [Music] so net discover hyph i e z okay you must be root switch user root root administrator Ro password so in the scan cl cl C [Music] private so in theet discover locular and Powerful scanning tool help number system Hy Smalls capital S hack [Music] the. SSH Port 22 open port 80 HTTP open port 443 htps HTTP s hyphen St hack the site.org so [Music] open so Random in order 10.0.2 [Music] 4 hyph SF Target Christmas capital x Christmas all scanned on this host so next n map iph SN other the null scanning aggressive scan hyph a capital a [Music] scan Trace P scan [Music]
To install Nmap on Windows, visit nmap.org, download the latest stable release for Windows, and run the installer with default settings. After installation, verify it by opening Command Prompt or PowerShell and typing "nmap --version" to see the installed version number. You can perform a basic scan of your local network by typing "nmap" followed by your network ID, or target a specific IP address to check for open ports. For more command options, simply type "nmap" in the command line. Additionally, there's a graphical user interface version called Zenmap for users who prefer a visual tool.
to install nmap on Windows go to nm.org and click on download then scroll down to the windows section and download the latest stable release once the download is complete run the installer file and install with the default settings after the installation is complete open command prompt or Powershell type nmap minus minus version and press enter if nmap is installed correctly you'll see the version number installed on your computer now let's see nmap in action first let's try a basic scan of your local network in the command prompt Type n map followed by the network ID of your local network this will scan all IP addresses in your local network for a more specific specific scan try targeting a single IP address for example targeting 192.168.1.10 will show you the open ports on that device to view the help documentation and command options type nmap and press enter you will see a list of command options and basic information about the nmap command and one more thing there's a GUI version of nmap called zenmap which can be helpful for those who prefer a visual approach e
In this video, Gary introduces viewers to Nmap, a powerful network scanning tool used to identify active hosts and detect vulnerabilities in network services. He emphasizes the importance of ethical usage, advising viewers to only scan networks they have permission to access, such as personal networks or designated learning platforms like Hack The Box or Try Hack Me. Gary demonstrates how to perform a ping scan to find devices on a network and explains how to filter results for clarity. He also shows how to run more advanced scans, including service version detection, and discusses how to interpret the output, including identifying open ports and potential vulnerabilities. Overall, the video serves as a practical guide for beginners looking to learn about network scanning while stressing the importance of ethical practices in cybersecurity.
hi and welcome back to the channel my name is gary i'm a cyber security professional by day if you've finished my command line 101 video or you already know the command line basics come and have a look at this we're going to learn nmap which is the network mapper it allows you to scan a network it allows you to identify hosts on that network that are active scan those hosts and try and find vulnerabilities in services that are running it's a really important tool to learn how to use rule number one though is you never ever use this tool on things you're not allowed to so you can use it on hack the box for example on their services when you're hacking probably not their actual website though you can use it if you're doing try hack me you can use it in the offensive security labs you can use it in your own home network but do not i repeat do not nmap everyone and anyone on the internet bad idea so with that being said let's take a look so nmap's a bit of a cult hit it's been in a whole bunch of movies notably the matrix it was in ocean's eight i don't think anybody watched that movie they even used it to hack into matt damon's brain in the movie elysium this ain't gonna kill me if you haven't heard about it though don't worry we're gonna look here at this reference guide this is a really handy little guide here if you want to just come and read every single thing that nmap has to offer this is the place to do it but i'm not going to show you that because that would be quite boring boring so let's actually look at nmap so nmap h as always to look at the help file at the bottom here you'll see there's this thing called scan me dot nmap.org now i happen to know that that's nmap offering up a website for us all to play with so let's have a play with it if i scroll up this help file you'll see the usage terms here nmap specify the scan type and the options for it and then a target so for example you can pass a hostname or an ip address or an entire network to nmap and it'll work so here's an example scanme.nmap.org don't scan that one you can even supply a whole list in a text file and here's the different scan types so let's look at a ping scan we're going to do this on my home network nmap dash sn and then i'm going to specify my home network range if you don't know anything about network ranges network submapping any of those fantastically exciting things i'll put some links in the description and you can go and have a read then i'm going to type t4 to increase the speed at which this runs and i'll type v to increase the verbosity so it prints it out on the screen so that's it finished let's look at the output so we've got some hits we also have a whole load of garbage that we want to get rid of you see all these lines that say host down so let's do the search again and we'll grep to remove host down so we just get nice clean results here's what we do we grep if you haven't seen grep that means you haven't seen my command line 101 video link is in the description go and check that out if we do grep v it will exclude things from the results and we want to exclude the word down so let's hit that and let it run again there we go much better results you can see see see master bedroom tv master bedroom some weird mac address living room ring camera okay so now we have a much better set of results here a nice clean list with no nonsense in it you can see it's scanned 256 ip addresses and has found 30 hosts hosts means devices pretty much and you should note that this might not be all of the hosts on the network for example i have more devices that just don't respond to this type of scan so that's a ping scan that's how you can find devices once you're on a network for example if you went to a business and they asked you to do a penetration test maybe they give you access to the network by plugging you in or giving you the wi-fi you might run this scan to find devices on the network that you might be able to compromise it's probably going to be quite noisy and the security tools will pick it up but that's a different episode so let's take a look at the scan me nmap website so let's probe it and let's run a script scan and a service version scan if we look at the nmap results you can see here we have script scans where it tries to run scripts to detect what it might be vulnerable to and then we can also run a service version scan that'll try and detect the service versions of the software running on that device so let's nmap scv you don't need to type this you just need to do that and then output all formats to the nmap website scan results we're going to use four threads to make it go faster and the domain is scanme.nmap.org and we want it to be verbose and as you can see already it's starting to find open ports on that device port 22 is ssh which is a secure shell we're not going to bother touching that one port 80 is a website so it might just be the nmap website i'm not too sure let's copy the ip address and come back over here paste that in and put in port 80 with a colon and it is it is the nmap website happy days and we also see two more ports discovered 9929 and this one which is elite e-l-e-e-t in hackerspeak so the whole scan's finished now and here's what we can see port 22 as i said was ssh and it is open ssh version 6.6.1 p1 running on an ubuntu stack okay port 80 is open and it's http we know that because we visited that website and that's running apache version 2.4.7 probably and if we scroll down further we get these two other ports now if this server was vulnerable you would see those results in this output in here you would see more output under port 80 if the web server was vulnerable maybe it was an old version of apache they were running and you would see extra output that says vulnerable to heartbleed for example and then you could go and figure out how to exploit that vulnerability now if you don't like this output maybe you're scanning a whole bunch of machines and you want some sort of nice clean simple way to read the output when we output the formats we get three different files one of them is this xml file and if you want you can view it like this much prettier and easier to read you can see here this is all the same output that we saw before the ip address the host name of scan scanme.nmap.org with four ports opened and then it tells us what's running on each port the instructions are just here how to use it run a new nmap scan and add this as the style sheet to your nmap scan with this argument so nmap all of your normal options but then dash dash stylesheet and then you gotta include this url so you could just come in here and copy this command for example and paste it into your command line to have a play and then just follow the rest of these instructions and you'll end up with your beautiful nmap results so that is nmap in a nutshell rule number one do not scan anything you don't have permission to scan you could end up with the police at your front door i'm deadly serious so only use this inside lab environments where you have expressed permission to do so rule number two have a play [Music]
In this video, viewers learn how to perform anonymous scans on web servers using Nmap, emphasizing the importance of not scanning sites without permission. The presenter demonstrates various techniques, including decoy scanning, zombie scanning, stealthy scans, and packet fragmentation, all aimed at hiding the user's real IP address and making scans less detectable. Each method is explained with specific commands and their effects on scan visibility, such as using decoy IPs or spoofing source ports to mimic legitimate traffic. The video also offers a free Nmap cheat sheet for viewers to master the commands discussed. Overall, it serves as an educational guide for ethical hacking practices while stressing the need for responsible usage.
When you scan a web server, you get to know a lot of information like open ports, services running, and even potential vulnerabilities. But what you might not realize is the web server also knows you. Every time you scan your real IP address, the source of the scan becomes exposed, which can be tracked and blocked. So in this video, we're going to be learning how to anonymously scan with Nap.
We will learn the best techniques that makes it nearly impossible to trace your scan back to you. Before we get started, this video is purely for educational purpose. Do not scan any website that you do not have the permission to scan. In this video, I'll be scanning the website scanme.in.org.
This is a service provided by Nap. You're authorized to do few scans a day. So, first I'll open my terminal and to anonymously scan the website. The first scanning I will do is a decoy scanning.
So type the command nm map space dash capital D. D is for decoy. I want to have 10 random decoy IPs. So for random I will type r&d colon 10 because I want 10 IPs.
Space dashp for port. I want to scan port 80. And the website that I want to scan which in my case is scanme.nap.org. And I can see the scanning has been completed.
If I check the traffic in Wireshark, the source IP has been changed and there are 10 source IPs. My real IP has been hidden inside 10 random decoy IPs. So this is how decoy scanning works. It will be harder to trace back to you because the server received multiple IP address and it will not know which one is your real IP.
The next scanning technique that we will learn is called a zombie scan. Zombie scan is also called idle scan. We will be using a fake IP, a zombie IP to scan the web server. So I'll type the command n map space-ash s capital I and I will give my fake IP and the name of my website and if I press enter the zombie IP will send traffic to this website.
I can confirm this with shark too. This is by far the stealthiest scan because your real IP never gets revealed. The next scan we're going to learn is the stealthy scan. The stealthy scan is also called the sin scan because it does not wait for the acknowledgement packet.
If you do not know what TCP is, do not worry. Just know that sin scan is more stealthier than a TCP scan. So, I'll type the command in map. And for a sin scan, I will type dash s capital s space.
I will make the scan slow by changing the timing with the command dash capital t 0. 0 is the slowest and 5 is the fastest. The slower the scan, the stealthier it is, but it will take a lot of time. If you do a slow scan, it is harder for the intrusion detection system to detect your scan because by default IDs and IPS look for rapid automated traffic.
So if your scan is slow, it cannot detect it properly. So this is how you do a stealthy scan and you can make it stealthier by making the time slow. I will quit this scan because it will take a lot of time. If you want it to be a little faster, then you can use T1.
Just know this, the higher you go, the faster your scan will be, but the more detectable it will be. However, T1 will also take a lot of time and since I'm doing this video for demonstration purpose only, I'll quit this. Next, we will look at fragmenting packets. So, type the command nap space.
I'll make a stealthy scan and space dash if this will fragment your packets into smaller pieces. If your packets are smaller in size, it is harder for the security tools to detect your scan. Now, let's learn how to make our traffic look like legitimate traffic. But before we do that, if you want to get all the Nmap commands that are discussed in this video with the full NM map cheat sheet for completely free, then click the first link in the description box and you will get the complete NM map cheat sheet.
This cheat sheet contains all the essential commands from beginners to advanced. If you get this cheat sheet, you can master NAPAP. This cheat sheet also includes the NMAP hacking script. So, click the first link in the description box to get this cheat sheet.
Now to make our scanning traffic look like legitimate traffic, we are going to spoof the source port. So I'll type the command in map. I'll do a stealthy scan and I will spoof the source port to port 53 which is a DNS traffic port. The server will treat my scanning traffic as part of the DNS query.
This will make my traffic look like real traffic and I will use the data length 2 and make it 1200. This comment will make my traffic look like real traffic. Now after the scanning is completed I can check and confirm with wire sharkark 2. It is extremely difficult for security system to detect this scan because this scan just looks like real traffic.
And finally for the ultimate scan you can combine multiple stealth technique at the same time. If you combine multiple stealth technique at the same time it will be basically impossible for the server to detect your scan. However, I'll stop this scan because it will overload the server. So that is for the end of the video.
These are few ways how you can bypass a firewall and do anonymous scan with NMAP. So if you like this video and want to watch more content related to Kali Linux or ethical hacking, please subscribe to the channel. Thank you so much for watching.
In this video from Learn Linux TV, the host introduces viewers to the powerful network auditing tool, nmap. He emphasizes the importance of obtaining permission before using nmap, as it can be against workplace policies. The tutorial covers how to install nmap on various Linux distributions and demonstrates its basic functionalities, such as scanning individual hosts, using verbose mode for more detailed output, and scanning multiple IP addresses or ranges. The host also explains how to exclude specific IPs from scans and retrieve service and version information for open ports. Overall, the video serves as a practical guide for using nmap effectively for network analysis.
thank you so much for tuning in to learn Linux TV your source for Linux related fun and learning I love producing Linux related content for you but I can't do it alone if the content on this channel has been helpful to you then please consider supporting learn Linux TV and one of the ways that you could do that is by becoming a patron which will give you access to exclusive perks also be sure to check out my latest book mastering a server forth Edition and while you're here be sure to subscribe new content is uploaded each and every week thank you so much for your support I really appreciate it now let's get started with today's [Music] video hello again everyone and welcome back to my awesome Linux tools series the series where I show you well what else what I show you in the series I'm going to show you some awesome Linux tools specifically in this video what I'm going to do is show you some examples with nmap and nmap is actually one of my favorite utilities because it lets you do some Network auditing on your network you can do things like find out which hosts are up which ports are open and things like that there's all kinds of things that you can use nmap for now before we actually dive into the examples that I want to show you in this video I want you to make sure that you actually have permission to run nmap before you do so for example you might need to ask the network administrator if that person is not you because running nmap or something like nmap might actually be against a work policy or possibly terms of service if you use a cloud provider if nothing else just make sure that you give someone the heads up and you should be fine anyway I can't wait to show you guys some really cool examples with end map so let's go ahead and dive right into it first of all we'll need to have nmap installed if we haven't done so already this process will differ depending on what your local operating system happens to be but I will have links in the description down below to where you could download nmap for your platform so that way you won't have to search for it if you run Linux on your laptop or workstation then all you have to do is install the nmap package and you can do that using your distributions package manager for example on Debian as well as auntu we can run sudu apt install and then nmap so I'll press enter and then enter again to accept the defaults and now it's installing in fact it's already done anyway this is the command right here that I used on my Ubuntu system to install nmap and this command will also work on any other distribution that is based on Debian or auntu now if you're running something else like Fedora for example then you can simply change apt to dnf and that'll help you get it installed on Fedora systems and if you're using Arch Linux then you can run Pac-Man - capital S and map just like that but if you're running a different distribution of Linux then all you should have to do is adjust this command accordingly and get nmap installed and from that point forward you'll have it at your disposal now in order to confirm that we do have nmap available what we could do is run n m-v just like that and if this works it should actually give us the version number of the installed package for nmap and as you can see in my case I am currently running nmap 7.8 now if you see an error message instead that might mean that you don't have nmap installed just make sure that you've run the installation command and you should be able to get the version which will confirm that nmap is available anyway now that we have nmap installed let's go ahead and check out some examples and we're going to start with a very simple one with this example I'm going to use an IP address of an actual node that's on my network right now specifically my TR server and I'm going to perform a simple scan which I could do by typing nmap and then giving it an IP address of the host that I wanted to scan so what I'll do is type end map and then I'll type in the IP address so we have the IP right here so it's going to be interesting to see what the results are going to be once I run this so let's do it now what we have here is quite a bit of useful information that pertains to the host that I decided to scan on the third line we could actually see that edmap was able to find the fully qualified domain name for that machine which in my case is storage. homy network.i it tells me that the host is up which I would actually hope that's the case if that particular server was not online then I wouldn't be able to record this footage because that's actually where my raw footage is stored before I edit it we also have a list of open ports on that server as well I have quite a few here so it might be in my best interest to audit this and ensure that each of these open ports should in fact be open anyway I was able to show you a very simple example for nmap I used it to scan an individual host as you can see here and that worked out just fine in addition to that I can also use the host name or the domain name if I know what it is so I'll just scan the same system again and if this works I should get the exact same output let's see what happens and there you go so what you could glean from this is that you can use the fully qualified domain name as well as the IP address depending on what information you have at your disposal let's go ahead and continue on from here another example that I'd like to show you is how the output differs when I activate verbose mode and I can do that by adding the- V option right here so the command is otherwise exactly the same but I want to see some additional information here so let's see how this output differs compared to the first two commands that I've run in this video so I'll press enter and with the- v option there was a lot more output so you might want to experiment with the nmap command with and without the- V option sometimes it might actually be useful for you to include the dasp option now here's another example what I'm going to do is add the same IP address that I scanned the first one that I scanned so I'll type that in right here but in addition to that I'm going to include another IP address so if this works I should be able to get results from both of these IPS right here so I'll press enter and let's see what happens so as we can see we have output from both of those IP addresses so what that means is that if you want to scan more than one IP then you can simply include each of the IPS that you want to scan with a space in between each but that might not be exactly the best way to go about it if you have a bunch of hosts I mean I don't know about you but I certainly wouldn't want to type a 100 different IP addresses one after another especially considering that it's not only tedious but I would probably make a mistake knowing me so another thing that I want to make sure that you guys are aware of is that you could scan a range of ips as well and that's pretty easy to do so what I want to do with this example is scan every IP that starts with2 all the way up to 6 and if this works I should get output from five different hosts of course assuming five different hosts are actually online but it's going to check five different IPS 2.3.4 do5 as well as6 and that's a lot easier than typing out each of those IP addresses one by one so let's go ahead and run it so if I scroll through the output here we can see additional machines on my network here so it was actually able to scan more than one computer it was able to scan via a range of ips and we were able to do that by running this Command right here but what if we want to actually exclude an IP from the results well that's actually very easy you could type-- exclude and after that you type the IP address of the node that you don't want to include in the results so I'll randomly just pick an IP address that's within that range and I'll exclude the node that ends in four and I'll scroll up if this works it shouldn't show four we have five right here so the one above this one should then be3 and that's exactly what it is it's skip do4 so with this command right here we are actually able to exclude a host from the scan while still including a range for the scan now let's see another example I'm going to run nmap yet again and then I'll use- lowercase s uppercase V and then I'll type a random IP address well maybe not so Random I'll just use the same one again that I excluded last [Music] time which was this one right here and what this should actually do is allow me to view service and version information for the individual ports that are listed here so let's press enter and see what happens so as you can see right here I have a list of ports but I also have version information as well and like you could see from the output this particular instance is actually a proxmox host and speaking of proxmox if you weren't already aware of it I have an entire tutorial series that's dedicated to proxmox so definitely check that out if that's something that you wanted to learn anyway with the- lowercase s V option you can see right here that I was able to get a lot more information some very useful information about this particular instance now another option that I want to show you guys is the- a option and this option should definitely give you a lot of helpful information and I'll give it a different IP address this time around let's have a bit of fun so I'll give it 101010 21 a completely different subnet let's see what happens and this is actually my Debian staging machine basically a test machine when I want to test anything on Debian I basically use this virtual machine to test my anible configs and things like that but if I didn't already know which operating system it was running then the information here would help me figure that out now obviously you should always know which operating systems you're running on your network but if you potentially have a rogue device basically an IP address that's on your network and you're not sure what it is then this output can actually help you understand what that device is the information here here might just help you narrow that down but as you can see the - a option is very useful and we could use that in any situation where we want more information about a particular host now so far we've been scanning IPS one after another we did actually scan a range but one thing I want to make sure that I show you guys is that you could scan an entire subnet if you wish so to do that I'll just type end map big surprise and then 101030 do0 this is another one of my subnets I'm going to do /24 and that's the subnet identifier The Cider if you will and what this is going to do if it works is give me information for every host that it finds on this network and there's actually quite a few devices on the subnet anyway I'll press enter and this might take a while so what I'll do is just pause the recording and then I'll be right back as soon as the scan is is is done all right so as you can see the scan is finished and as it shows right here I actually have 36 host on that subnet were at least 36 devices that nmap was able to detect so if I scroll up I'll see some of that information up here but you get the idea I was able to scan an entire subnet but another thing that I'd like to show you is that we could actually have more condensed output as well so let's check out the option- lowercase s uppercase p and we have abbreviated information here I think this variation of end map is actually very useful if you're doing some sort of auditing to find out which hosts are actually on your network in the first place so if you wanted a more simpler list then this is one way you could get that but one issue here though is that the previous command that I showed you guys this one right here the one that we actually used to scan the entire subnet the first time this one actually took quite a while to finish but what if I told you that you could actually speed up the output so what I'm going to do to show you guys the difference is I'm going to put time in front of the command and that's a standard Linux command that you could put in front of any command to find out how long that command took to execute so I'll press enter and yes it's going to take a long time so I'll be right back as soon as this is done but with this variation it'll actually tell you exactly how long this command took even though I'm going to edit this in post you'll see the actual numbers so it looks like the command finished even though on your end it only took a few seconds for you to see the results on my side as you can see right here under the real heading it actually took over five minutes actually almost six minutes to complete now let's see how we can actually condense this down and make this happen quicker so this is the command right here that we ran last time and what I'm going to do is add a new Option - uppercase t and then the number five so that's the option that I want to add let's run it and see what the difference is and check this out it only took about 1 minute 18 seconds for this to finish that's certainly a lot better than almost 6 minutes I was able to shave a bunch of time off this command and I was able to do that by including the- uppercase T5 option as you see here but what exactly does that mean well T5 is actually one of six timing templates for nmap you can actually use t0 all the way up to T5 and T5 is actually the fastest mode available now when you use T5 it's possible that some accuracy might be lost and also with that option nmap assumes that your network is reasonably fast and can actually handle this mode most networks nowadays shouldn't have any problem with this but you never know but what about the other timing templates I mentioned that you could use t0 all the way through T5 and that T5 is the fastest but what's the difference between t0 through T4 well the first two timing templates t0 and T1 those will actually slow down the scan and make it take even longer so you might be wondering and why would I want to make this take even longer well the slower options are often used during auditing to see whether or not you could bypass the intrusion detection system if there is one and the reason why that might actually work is that slower modes tend to fly under the radar now when it comes to T3 that's the default so you should never actually need to call that if you don't use any of the T options then T3 is pretty much what you're choosing when it comes to T4 as well as T5 those are actually the fastest timing templates available T4 is considered aggressive and T5 is also known as insane mode but again you might actually lose some of the accuracy when you use one of the faster [Music] modes so there you go in this video I showed you guys some examples with end map so if you weren't already aware of this awesome utility well now you are and the examples that I showed you in this video are not the only things that you could do with end map there's all kinds of things that you could do with end map so I actually will include some additional examples in the blog post that is going to be linked down below so definitely check that out if you want to learn more anyway as always thank you guys so much for watching I really appreciate it and I'll see you in the next video [Music]
In this video, the presenter introduces Nmap, a powerful reconnaissance tool essential for ethical hacking and penetration testing. Nmap allows users to gather information about targets, such as IP addresses and websites, and is available for various operating systems, including Linux, Windows, and macOS. The video demonstrates how to install and launch Nmap, highlighting its noisy nature, which makes it easily detectable by firewalls. The presenter also emphasizes the importance of using Nmap responsibly and legally, suggesting that viewers practice on the provided scanme.nmap.org site. Additionally, the video covers basic commands and techniques for using Nmap effectively, including how to gather information about IP addresses using the "whois" command and the importance of search engines in reconnaissance.
hey guys hack exploit here back again with another video and welcome to end map for beginners so this is going to be a continuation in the ethical hacking course now what is nmap well basically nmap is a footprinting tool or a reconnaissance tool now uh I had already explained this in the first class the first ethical hacking class uh this is basically the first step of uh hacking where you actually find information about the Target or the IP or the website so basically nmap is a footprint tool that gets more information about the um the Target or the IP or the website for that matter in my opinion I think in map is a must have for any pent testers or ethical hackers or hackers for that matter so uh basically uh n map uh is available on almost all the platforms all you have to do is just go to the website um just going to open nmap here uh it's nm.org that's their website it's a free free software so you can go and download it uh as you can see here it's there available for Linux uh windows and I believe Mac OS so if you're actually on map uh if you're actually on Mac I believe it's there so uh you can actually install it on uh Linux and windows because are the most popular operating systems however if you're using Cali Linux or parat Os like I am it already comes pre-installed so there are two ways you can go about launching it on Windows I think you just have to run the nmap command in the command prompt uh same as with Linux but if you're actually running a um a penetration uh testing disc like par or Linux uh or Cali Linux uh it's just in the information gathering section which is basically Recon recognisance so we have n map right here and all you have to do is open n map and it's going to ask you for your root password because it's going to need elevated uh privileges so that's one way of uh of starting end map now the second way of starting end map is just by opening a terminal uh entering your root password uh or launching it in administrator mode uh on Windows and you just want to enter your password and then I'm just going to clear the console uh like so and I'm just going to enter nmap and I'm going to enter the help um help option which will basically give me all the options available with nmap now it's going to look a bit overwhelming because it's going to give you a lot of lot of options you can just look at this as a manual basically they're giving you the different options that you can use for your different uh methods of scanning so just don't worry about anything just scroll down all the way to the bottom and look at where it says examples I'm going to use these examples to guide you um to guide you in your uh uh in this tutorial so uh firstly uh I want to just say something n map is a very very very noisy scanner now the reason what I mean by this is nmap is easily detectable by firewalls and uh by servers so they actually know that you're scanning them so the real charm of using nmap is not just scanning a a server or a site or an IP address for that matter it's how to do it anonymously or uh very quietly so that you're not detected I'm going to get to that uh very very soon so uh just make sure that you don't do anything illegal uh I mean this is only for educational purposes so uh yeah so let's get to the next part all right now uh as I was saying in the example section uh it's just going to give you an example of what a um a basic n map uh run would look like you have your nmap command which initializes in map and then you have your uh parameters that will bring results uh depending on what you want out of those results so you have your V and a now before we get to that n map basically gives you a free testing um uh scanning machine where they allow you to scan their this scan me. nm.org this web address uh for educational purposes so as you can see here hello welcome to scan me.n map.org don't worry the website will be in the description section if you're too lazy to type that out uh so as you can see we set up this machine to help folks learn about nmap and also to test and make sure that the nmap installation or internet connection is working properly you're authorized to scan this machine with n map or the port scanners try not to hammer uh on the server too hard a few scans in a day is fine but do not scan 100 times a day or use this site to test your SSH Brute Force password cracking tool so basically they they allowing you they're giving you permission to scan this which is what I was going to say you need written permission to scan any IP address any uh any website or any server for uh whatever you do uh it's on new that's what I wanted to just put out so we're going to use this as an example during uh the the end map tutorials so coming back here as you can see they've given you example scan with the scan me. nm.org uh address so what does V mean well V basically prints the version number or the name of the uh of these of the server uh uh basically the address name all right now uh the a basically prints the uh OSD detection the version detection and script scanning so it'll basically give you the operating system version the operating system itself and this it will scan for scripts all right now if we go down to the second one we have a bit of a different uh command here just ignore the SN for now I will get to that in a future tutorial uh now we as you can see here there's something a bit confusing we have a very weird looking IP uh configuration well this is not really unusual in fact in fact what this means is this is a range of IP addresses now don't be confused by this what this means uh is basically you can pass a range of I IP addresses like from this IP address to this IP address you want nmap to scan that they could be belonging to an organization so you can basically do a very powerful end map scan on like multiple IP addresses now uh before we move on I just want to show you an example of what I mean so what you want to do is open a browser and I just want you to search for this all right I want you to search for major IP block right that's the one I want you to search for major IP block with with whichever uh search engine and it's going to open the major IP address blocks just click on that by near soft now what this means is basically these are the IP ranges in every country all around the world so these are all the IP addresses registered to people or to companies so you can choose from whatever country that you want to scan from uh really anything it's up to you right so we can just try France uh let's just try France for example and it'll give you all the IPS and their ranges so as you can see from this IP to this IP belongs to Orange uh sa and it has the assigned date and the total amount of IP addresses now this comes to the very important part I wanted to explain about reconnaissance here uh if you have an IP address you can really do a lot with it and you can actually find a lot of information related to that IP address which is what I'm going to show you right now so I'm just going to pick a random IP address uh let's try um let's try this one here all right I'm just going to copy it know it's not allowing me to copy it there we are copying and I'm just going to search uh for this is a very important command this will basically give us the info about what who this IP belongs to who is all right so we're going to say who is and we're going to paste that there and we're going to enter and it's going to open in a search engine who the IP address belongs to so we're we're just going to open the first uh site that we get here so just open it and it shouldn't take too long and it's going to give you the um it's going to give you all the information about it so it's going to tell you uh the country I saw the time zone Europe Paris so you know it's in Paris it also has the longitude and latitude um coordinates so you can actually get the uh location uh however with the with the IP range addresses what they do the uh the basically the providers the internet providers is they basically assign it to a location and no more they don't have like a specific address so uh usually the location is about 90% accurate I will get to GE location in the future that's that's a bit of an advanced tutorial uh but basically you can get information about an IP using the who is uh um the command which brings me to the second part of what I wanted to say about the who is and IP addresses the search engines are your best best best friend when it comes to uh looking when it comes to reconnaissance or footprinting you can really really use them to Advantage and as you can see it's given me the range here on this website and it will give you the location and the longitude and latitude and geolocation and so on and so forth so you get the idea don't worry the websites that have used here will be linked in the description all right so let's just head over back to end map all right um one more command I wanted to show you that's really not linked to nmap but is also important for uh scanning or reconnaissance is the NS Lookup All right so NS lookup is available on Windows you don't need to install it it's just part of the operating system as it is on Linux uh you hit NS lookup and then you enter the um the target it can be an IP address or a web uh or website so I'm going to copy this site the scan me site because again I want to keep this as legal as possible and I'm just going to hit enter all right and it's going to give me the address so as you can see this allows you to actually get the address of the website and you can do it in vice versa so if I if I uh copy this all right and I said here NS look up and I pasted the uh the address there hopefully it will give me the name of the site all right and as you can see here the name is can me.n map.org all right pretty awesome right now um if I just want to give you a quick tip with NS lookup uh let's say you're running a lot of uh scans and you want to save them to a document or a to a file so what I'm going to do is I'm going to I want to save them on the desktop right so I'm going to hit NS lookup and uh we're going to let's say we want to find the name of the of this uh IP address we want to find what who it's registered to and then what you want to do is um you just want to use the two greater than signs and you want to give a name to a document that you want to save it to in this case I'm going to use a txt document and I'm going to save it on my desktop because that's where I opened the terminal from although you could change it to whatever uh directory you're in so I'm going to say say say results.txt and I'm going to hit enter and it's going to open uh results.txt as you can see over here and if I open it it'll give me the scan results pretty awesome and you can keep on saving them in here and it's just going to do it for you automatically so uh this is uh basically what I wanted to explain to you for the first tutorial uh there's a lot I've said in this tutorial and I just just wanted all of that to sync in in the next tutorial I'm going to go through the advanced end map commands but uh that's basically what I wanted to tell you uh today um basically what we've gone through in to summarize is we've gone through what n map is um the N map help commands what the N map um the N map uh what what are they call the parameters mean uh when I was talking about these parameters right here the V and the A and there's a lot of them here which I'll go get uh to in a in another video uh right after this one I just want you guys to practice what I've shown you in this video and just practice a bit of reconnaissance and uh yeah you'll get it you'll find it really really interesting to see how much information you can dig up from a lot of thing a lot of these servers and IP addresses so that's been it guys I hope this video helped you and you enjoyed it uh if you if it did help you please leave a like if it didn't help you you can dislike the video and let me know why in the comment section alternatively if you have any question hit me up in the comment section social media and or kick uh I'm always there and I'm ready to help you guys otherwise uh we're going to continue uh the advanced stuff in the next video thanks for watching so much and have a fantastic day peace
In this tutorial, Dan Duran introduces network scanning using Nmap, a powerful tool for discovering devices and services on a network. He explains the importance of network scanning for both ethical hackers and IT professionals, detailing how it can identify devices, open ports, and services running on those ports. The video covers the basic syntax and options for using Nmap, including various scanning techniques and best practices for conducting scans effectively. Dan also emphasizes the significance of understanding common ports and their associated vulnerabilities, and he concludes with a live demo to illustrate how to perform a network scan using Nmap. Overall, viewers gain a comprehensive understanding of network scanning fundamentals and practical tips for using Nmap in penetration testing.
i'm pretty sure you've seen a lot of videos out there about nmap but you haven't seen a tutorial like the one i'm going to give you hey what's up guys i hope you're doing fantastic my name is dan duran and today we're going to be talking about network scanning and nmap we're going to discover the foundation of reconnaissance and network scanning and why is it used who uses it and how it is done at the very end i'm going to show you a super interactive demo in which i'm going to share with you some really good tips about how to conduct network scanning as a professional pen tester so get your coffee and let's get going [Music] this is the agenda for today first we're going to talk about network scanning we're going to talk about common ports that you should be looking for when doing your scan we're going to talk about nmap and what it is as well as who uses it we're going to talk about the syntax of nmap basic and map options for targets as well as for switches that you're going to be using the best practices as well as a really cool demo at the very end and how actual professionals use nmap when doing pen testing and ethical hacking these are the prerequisites first you have to have some sort of stable network connection either through wi-fi or your ethernet cable you should be able to be connected to your network you have to have access to a vm either using virtualbox or utm for mac as well as as as hyper-v for windows 10 or windows 11 and a kali system which i'm going to be doing the demo with network scanning is a technique used for identifying devices that's right devices such as laptops computers iot such as smart tvs or cell phones mobiles google homes printers that are connected to the network anything that is on the network either wi-fi or using your ethernet these devices all have ip addresses given by the dhcp either static or dynamic devices also have a mac address which is like the serial number they're unique to that particular device ip addresses also have tcp or udp ports and the ports can go from one all the way to 65 ports each port must have one state either it is open which means that it's listening or is closed which means there's no service around the port they could be filtered or controlled by the firewall in the case of a white listing for example or unfilter which means that nmap can't really determine whether it is open or closed but it knows that port is actually live ports also identify two things operating systems such as linux mac or windows as well as services such as ssh server and ftp or an http server etc this is a typical example from a results report for nmap we see here one host that is up and that is ip address 192.168.0.3 it has two ports that are open 22 and 80. both are tcp and both have services in the case of 22 has an ssh server in the case of port 80 it has an http server the mac address for this device as you can see belongs to the tp-link technologies family which means it's telling you right away that this is a router or a switch let's talk about the most common ports these are the most common some of them are very insecure some of them are secure depending on the service that you're running maybe the version of the service like in openssh for example is outdated some of these are completely insecure so ftp port 21 23 which is telnet 25 which is smtp uh 135 which is rpc rpc rpc uh are very insecure ports it is a really good idea to familiarize yourself and learn what these ports do and what kind of services those ports do because that's going to be coming in very handy when you're doing your pen testing and now let's talk about nmap nmap is a powerful very flexible free network discovery tool it checks for ip addresses host names it does port scanning it discover different services inside of those ip addresses it does operating system detection it does version detection it uses a whole bunch of default scripts or you can use your own script using the nmap scripting engine a map doesn't stop there it also gives you more information on targets including reverse dns lookups for example reverse dns names device types and also mac addresses so who uses nmap fan tester ethical hackers they all use nmap it's the most famous network scanning tool in the market it is used for reconnaissance and info gathering when you want to build a topology about the network as well as fingerprint all of the devices that you have it is used for it personnel when they're doing inventory control for example or they want to build a network topology but nmap unfortunately is also used for bad stuff so adversaries use my for post intrusion activities so for example when a device gets infected with malware then there's the need for these hackers to be able to expand or do reconnaissance inside of the network to fingerprint what's out there they would use something like nmap to do that this is the typical syntax of nmap so in kali or any linux system you type in nmap then the scan type or the switches as commonly they are known for then the options such as the ports or if you want to output if you want to input and then the target which is the actual ip address the subnet or a b range or a host name in the second line we see nmap minus s capital s and then minus p 22 and the ip address that means we're doing a stealth syn scan on port 22 only and these are the different target options for nmap so you can do a single ip address you can do a hostname in the case of dan host.me or you can do an entire subnet so you can see here slash 24 you can do an entire subnet by host name you can do an entire subnet by wildcard so put in the asterisks at the very end you can do an ip range so in this case for example 192.168.1 from ip10 to 50. so that's the 50 or the 40 ips that i want scan or you can do multiple targets you can do for example 192 168.1.10 250 and then 56 so one unique ip address in there so nmap is very flexible into what you want to scan you can put exceptions you can put rangers single ip address different subnet all of that stuff inside of nmap when doing your commands these are the basic scan options right so at the very beginning minus h will give you the nmap help then if you want to do a quick scan then it's minus s capital p and then you have all the other ones for example the stealth syn these stealth tcp complete scan so difference between the tcp synth scan and the complete scan is that when we're doing tcp the stealth synth scan only sends one ping to the server or the ip address and then when the ip address responds with an act nmap disconnects that connection the complete scan on the other side does the entire three ways handshake sometimes you have servers that don't like getting ping and that's why you use minus p n for no pinging uh you can use for example as v for getting the service version and the udp scan is minus s capital u if you just want to list all the targets you put minus s capital l and then if you want to test for firewall protection for example like intrusion detection system then you do a minus as capital a if we move on there are more options r does randomize then you can specify the top ports you can also do ipv6 you can give an input file full of ip addresses to nmap you can output to different types of formats so for example xml text html etc you can exclude you can tell m not to resolve names as well as you can do reverse dns lookups and f is for fast mode and these are some of the last basic options that i can give you so for example minus capital o gives you the operating system detection minus a is used quite a bit because that is nmap does all the default scripts when doing the scan and then you can throttle the intensity of the scans so for example if you have a network that is very fragile you want to go really light with nmap so the version intensity level you put it to one or two or three for example however if you want a pro really fast and furious then you use all of the default scripts when doing the scan then you have velocity levels for example arp scans as well as no port so if you just want to get the services but no port you put minus s n and at the very end you can specify the ports that you want to use by putting a port list as a text file for example and at the very end i want to talk about the best practices according to the certified ethical hackers protocol or framework so first we have to check for live systems in the network and i'm going to show you in the demo how to do that then we discover all the ports we're going to do a banner grabbing as well and as well as operating system detection and service detection and all of that good stuff what i'm not going to do in the demo is go beyond the ids we're going to be scanning for vulnerabilities in a different tutorial using open bas for example and then we're going to create a network diagram proxy not in this tutorial but in the next ones in the future all right and this is the best part the demo i'm going to click on terminal here to initiate a terminal i'm going to go into sudo su kali and i'm going to do a couple of things so the first one is i'm going to go into my desktop there you go and i'm going to create a folder so make there and i'm going to compat i'm going to call it abc for the company cd into abc and i'm going to do all my work out of this folder okay so let's do a quick end map so nmap oh before we do that so now what we need to do is figure out the ip address and the subnet that is really easy to do so all you have to do is just type in ipa and then this is where you're going to get your ip address so 192 168 and then 157 that's my ip address we know that the subnet is going to be 192 168 179 from zero all the way to 255 because it's a slash 24. so that's very important since we're here let's do a trace route google to see what our router is going to be so right before it goes from the internal ap address into the external ap address we'll see we see here that this is the exit point so 192.168.179.35 that is the ip address for the router so now that we know that information why is it so important because this is one of the first points that you have to test when doing ethical hacking or penetration testing is testing the router the firewalls the switches etc so now let's do a quick end map on the subnet and this is to to be able to find live systems that's what we're going to do as per the framework so minus s p p p just to see what hosts are up the 168 and then i'm going to put a dot and then the asterix so just a wild card for the entire network and see what happens there you go so nmap is starting so all we're doing is just seeing what's out there and there you go so there's a whole bunch of devices in here we see ubiquitous networks we see microsoft we see sonos google and and and a whole bunch of other devices now here i have a little cheat sheet that i think you're gonna like so let me power up another terminal and i'm gonna do a vertical terminal i'm gonna go into sudo zoo and and and desktop and let's do cat cad desktop and it's going to be nmap list and as you can see here i have a little scripting here and this is going to help us quite a bit so now what i'm going to do is i'm going to copy this script okay so shift ctrl c to copy i'm going to exit out of this terminal there you go and i'm going to do an end map in here minus s capital p then i'm going to do this and at the very end i'm going to do shift ctrl v to paste my little cheat sheet here and you'll see what happens and there you go as you can see i have all the ip addresses in a just a list so what do i do i'm going to copy all of these ip addresses so shift ctrl c and i'm going to create a full file in here so it's going to be host up up up dot txt i'm going to paste all of this there you go and then ctrl d to exit ctrl l to exit or clear the screen and as you can see now if i go into nano post up i have all the ip addresses in here why am i doing this i'm doing this because uh now i'm going to create another end map to get all the information that i need all right so ctrl x to exit this now let's do another end map so i'm going to do nmap and this time i'm going to type in s minus little s capital s and i'm also going to put minus capital p n for no pinging and and and i'm going to use so so so small i capital l and and and the the the file that i created which is host up now i'm going to put in minus small o capital n and i'm going to create another file called full scan full scan dot text so basically what i'm telling nmap now is to oh oh oh the other thing that i'm going to do is i'm going to put in here a a a there you now let me tell you exactly what i'm doing so i'm doing an end map with a stealth syn scan and i want the full kabuto so i want to get the operating systems i want to get the services the open ports the whole thing i'm also putting pn or no ping which means that if there are any servers or anything that doesn't like pinging then i put this and then i'm also telling nmap to draw all the ip addresses from that little text file that i created and then i want nmap to actually output all of the information into my full scan text file so let's do that now this is gonna take a little while all right it's done okay perfect so now uh as you can see we get a lot of results in here but those results are saved they're not just on the terminal so even if i kill this terminal let's say i get rid of this terminal all together right and initiate another terminal so control alt t and then i go into desktop and sudo su now i can actually go into the cd abc which is the client folder and then i'm going to do an ls and you'll see that it the full scan is right there so let's do nano and then full scan and you'll see the nmap results and this is everything right so let's start looking at this pretty cool huh so now we have two files one that is just the ip addresses that i want to i'm going to scan and i'm going to use those ip addresses when i do an open pass vulnerability scanning so i don't have to scan the entire network i just have to do those few ip addresses that we gather through our analysis now let's do some uh some fact finding in here so we see here in this ip address the first one is 35 which is the router we see obviously that the tcp 53 is open so this is the dns right so 53 port 53 is dns and then we see obviously port 80 which is the [Music] htp htp htp and and and that is basically the access to the router online right so there you go that's the ip address and if you keep on going down [Music] let's see this we see 443 open tcp and um see if there's anything else open oh we see a dcp wrapped so that's a 1001 port and we see the fender fingerprinting here right so we see all the information about um um um the fingerprint the header so we're grabbing the headers here if we move on to the next one uh 192 168 you can see that port 22 is open and it's a drop there ssh sshd protocol 2.0 so this is very good information so let's let's power up another terminal in here so i'm going to split this i'm going to go into sudo su okay and let's do ssh and then p 168 and 179 39 what i'm doing is trying to see if i have access to this ssh right so i go into here and i say yes and it requires a password so the first thing that you test is to see if you just can click enter and get access so permission is denied so i'm going to try password didn't work i'm gonna try admin didn't work okay so which is perfectly fine right so that is that is not a problem this is usually happens i just want to see if i can get lucky right so let's see if we can do something else in here so 179.40 and this one has 2179 and 7070 with the ssl it says real server and question mark because nmap wasn't able to get the actual operating system for that let's see if i can find something very interesting in here all right so here look at this one this is very interesting because this one has ftp open as well as telnet open wow this is a really insecure i'm pretty sure this is going to be a printer right so so so oh yeah you can see here is a brother hp printer right running ftpd 1.13 yikes so let's see if we can get into that ftp so i'm going to power up another terminal okay so now i'm going to go into telnet and type in the ip address 192.168.179 dot i believe it's so so so let me see there you go and see what happens yes i'm connected so so so ctrl there you go okay so now what do we do here stat connected to the telnet service as you can see right so i can do a manual and then start doing some penetration testing using telnet now let's do ftp so we're going to do the same thing in this case i'm just going to power up ftp and see if i can connect and and and all right network password so i'm just going to do no password on that i'm logged into ftp as well right so look at this log 10 for free no major work on ftp and that's it this is what you get to do now we're going to take all of those ip addresses put them in openvas and see what we can get that ssh service that i wasn't able to get into i'm pretty sure that open bass is going to try a whole bunch i think it's about 1500 different brute force attempts on each of these services for default passwords so that's what openvast does and we're going to use that little list that our little cheat sheet for doing that in the next time i hope you enjoy this tutorial if you have any questions make sure you leave them below make sure you subscribe and i'll see you next time stay safe stay secure [Music] you
In this video, the presenter discusses NMAP, a widely used network scanning tool essential for cybersecurity professionals. They explain how to use NMAP for various tasks, including identifying online devices within a specific IP range, performing port scans, and enumerating services running on those ports. Key flags such as -SN for disabling port scanning, -p for specifying ports, and -sV for service version detection are highlighted, along with the importance of using pseudo privileges for stealthier and faster scans. The video also touches on advanced features like operating system detection and the use of NMAP scripts for deeper analysis of network services. Overall, viewers are equipped with practical knowledge to effectively utilize NMAP in their cybersecurity efforts.
If there's one tool you need to know as a cyber security professional, it's NMAPAP. N MAP is the most widely used network scanner today due to its many capabilities and flexible options. In this video, I'll cover how to use NAPAP to enumerate different computers on a network and show you how to use many of the important flags that come with NAP so you can start scanning networks like a pro. Whether you're a security analyst looking to identify assets and services on your network or a penetration tester looking for open ports to attack, NMAP has use cases for all teams in cyber security.
I've created timestamps for different topics we'll be covering on end mapap, which are your basic endmap scans and syntax, service enumeration, performance options, and avoiding detection. Without wasting any more time on the intro, let's get started. If we're looking to identify which assets in a certain IP range are online, we can run this basic end mapap scan to tell us. This end map command is going to scan every IP address from the 192.168.1.0 to 192.168.1.255 and tell us if it's reachable.
If we're scanning the same subnet or LAN that our scanner is in, then the scanner will use a combination of ICMP echo or ping requests, ARP requests, and TCP SIN or ACT probes to common ports and look for a response. If the scanner gets a response, it will flag it as online, and we will see it as such in the output of our scan. The - SN flag is going to disable port scanning because at this time, we're just trying to determine what IP addresses we can reach. And once we know which devices are online, we can then run port scans against those machines to see what services are running.
But more on that later. Lastly, this - O capital N flag is going to save the output of the scan to the scans directory as the file alive hosts in the default endmap format. We could replace this - with - og for a grappable file, - ox for an XML file, or - oa to save the output to all three files. So, let's run this scan on this 192.168.1 subnet, which my scanner is in, and see which systems are alive on this [Music] subnet.
All right, that scan is finished. And based on the results, we see that 192.168.1.1 is up, which is our router. And then we also have a virtual machine on on on 192.168.1.105. And then 192.168.1.10.11 is my IP address.
I've just booted up another virtual machine on the same subnet. So let's run the scan again and see if it picks it up. Now this time after running the scan, we see we have the same three IP addresses and also this new IP address of 192.168.1.103, which is the virtual machine that we just turned on. You may have noticed in the example scan that we're using pseudo privileges.
Pseudo privileges are not a requirement, but they are necessary if we want to be a little more stealthy and run a faster scan. This is because end mapap ran with pseudo privileges by default is going to perform a sin scan instead of a full TCP scan. Basically, what this means is when the scanner is making requests to the ports on the target, the scanner will send a packet with the sin flag set. If the target responds with a sin act packet, we know that the port or host is online and we can send a reset packet to avoid completing the TCP handshake.
This is considered stealthier than completing the full TCP handshake on every port that we scan and a little faster since we aren't waiting to close the full TCP connection on every port. But it should be known that modern firewalls and intrusion detection systems can detect sin scans. So, as you can see with pseudo privileges and the sin scan enabled, our scan took around 1.84 seconds to scan every single IP address in this range. And if we run the same scan without pseudo privileges, we see this time it took slightly longer, taking 2.09 seconds.
This may not seem like much of a difference right now, but once we start scanning every single port of a system, then the scan time is really going to add up. Performing sin scans requires elevated privileges. If we do not run end map with pseudo privileges, NAPA will default to running a full TCP scan. We can manually set what type of TCP scan we want to run by specifying certain flags.
The - S capital S flag will run a sin scan and the - S capital T flag will run a full TCP scan. There's also the option to run an ax scan, which will use the - S capital A flag, and we'll talk about that a little more later on in the video. And real quickly before jumping into port scanning, a couple more useful flags to know are the - capital PN flag, which will disable ICMP echo or ping requests as a discovery method. So if pings are filtered or blocked in your current environment, this would be a helpful flag to know.
And the -ash N flag will disable DNS resolution. By default, NAP attempts to resolve IP addresses to host names using reverse DNS lookups. So the dash N flag tells Nap not to perform these lookups, making the scans a little bit faster. Now that we've discovered some devices that are online, let's pick one and find out what ports are open on it.
So for example, to scan the 192.168.1.103 IP address for all open TCP ports, we can run the following scan, which is pseudo nmap-in- rate 10,000. And then we're going to save the output of the scans to scans NMAP all TCP. And then at the very end, we specified the IP address that we're scanning. The -p flag is going to scan every one of those 65,535 TCP ports against the device.
If we do not specify the -p flag, we would then scan the top 10,00 most common ports, which are not the first 10,00 ports. If we want to specify specific ports to scan, we can do -p and then the ports we want to scan separated by commas. For example, if you only want to scan port 22, port 480, port 443, and port 445. We could do this to scan just those four ports.
And we can also use a dash in between ports to specify a range of ports that we want to scan. So for example, if we wanted to scan ports 1 through 100, we could do -p1-100. For now, let's scan every single TCP port against 192.168.1.103 to see what's open. Now, as you can see, we quickly found many TCP ports that are open on this 192.168.1.103 server, which spoiler alert is an instance of metas-loppable 2.
The min- rate flag is going to set the number of packets that we'll be sending simultaneously. So setting the minimum rate to 10,000 will go through all the ports very quickly, but it will also be very noisy, which means if we were trying to be stealthy, this would quickly give us away. Setting a lower min rate will help us stay unnoticed and appear more like regular network traffic, but it will also make the scans take much longer. More often, we going to be scanning for TCP ports when we're looking to attack or defend a device, but UDP ports should also not be rolled out.
To scan all UDP ports, we can run the same scan, except this time specify the - S capital U flag, which will tell the scanner to only scan UDP ports. Now that we have a device and we know what ports are open on it, we can take our scans a step further and determine the services and possibly the versions of those services that are running on each port. To do this, we can first run a service enumeration scan by using the following. Here, we're specifying what ports we want to scan and figure out what services are running on each one of them.
And the - SV argument is what is going to look for services running on each port and potentially even their versions. It does this through various methods such as banner grabbing and probing for specific responses called signatures. After running that scan, now we see a version tab which gives us a little more information about the software and version of the software that's running on each port. For example, the FTP port 21 is running VSFTPT 2.3.4.
The SSH port is running Open SSH 4.7P1. On port 80, we have an Apache HTTP2.2.8 server. On port 3306, we have a version of MySQL running, which is 5.0.51a. And on port 5432, we have PostcreSQL running version 8.3.0 0 through 8.37.
If we want to know the operating system of the target and we can't figure it out based on the services that are running, we can use the - capital O argument to run an OS detection scan. N MAPAP will fingerprint the server by sending it specialized requests and look for patterns in the responses to determine which operating system is running. These are not always completely accurate and the output will even give you a confidence level on how accurate they think the output of the detected OS is. So, let's run this operating system scan against our Metas-Splitable 2 server and see what it comes back as.
After the scan completes, we see that NMAP has detected a general purpose Linux operating system running. Specifically, we're most likely dealing with Linux 2.6.9 through 2.6.33. Now, let's run the same scan on a different IP address in my network, 192.168.1.105, which is a Windows 10 workstation. This time, the scan is a little less confident.
As we can see, it's just guessing that it is a Microsoft Windows 10, 111, or 2019 server. And we also have this line here of aggressive OS guesses. It's most confident that it is either Windows 10803 or Windows 10903 through 21H1. Lastly, in the service enumeration category, but definitely the most interesting, is the ability to run end mapap scripts against a target to gather certain information based on discovered ports and/or services that are running.
I like to start by using the - S capital C flag, which will run the default end map scripts against the target and the identified ports. But end mapap scripting goes a whole lot deeper. Enmap scripts are broken down into different categories, and I'll put up a list of the categories on the screen now, and a description of the kind of scripts that belong to each category. Some notable endmap scripting categories are the discovery category which evaluates the accessible services.
The exploit category which attempts to exploit known vulnerabilities against the scanned ports, the malware category which checks for malware that's infecting the target system. And the vul category which looks for specific vulnerabilities on the system depending on which ports are scanned. So here's what the output of running the default scripts looks like. For port 21, which is FTP, we see an FTP server status.
We see that anonymous login is allowed on the FTP port and there's a writable file that is accessible by the anonymous login user as well. On port 22, we see the SSH host keys. For port 25, which is SMTP, we see the different TLS ciphers that are accepted as well as the different commands you can run against the SMTP server. On port 80, we see that the web server has a title of metas-loppable 2- Linux.
And port 8180 is running an Apache Tomcat 5.5 server. If we wanted to run all of the scripts that belong to a specific category, let's say for example the vul category, then we would use-cript and then the category to run every single script in that category against the server. So this scan here is going to run every single vulnerability script that is applicable to the 192.168.1.103 server. And if there were specific scripts in a category that we wanted to run, but not the entire category itself, we can specify the full script name instead of just the category to run just those specific scripts.
And if we wanted to run multiple scripts, we could separate them with commas. If you don't know what any of the scripts are, you can list them out by running nmap-script-help and then the category of the scripts you want to run. And this will give you a long list of all of the different scripts that are in the vul category. That way you could run against our server.
We could also just go to the default directory where all of the scripts are placed, which is user share end mapap scripts. So let's list out this directory. And here we can see the many end mapap scripts that exist that we can run against our targets. With all that said, when I'm doing a capture the flag and I've discovered open ports that are running on a box, I like to run this scan here, which I call the god scan to determine the services and their versions that are running on the machine, as well as get any information from the default and map scripts that may come in handy.
Now that we've covered all of the main identification and enumeration flags, let's talk about the settings that we can adjust to change the performance of our scan. The first flag we can change is the max retries option, which will set the number of retries that the scan will attempt to request to a port before determining that it is offline. The default for this setting is 10, which took our scan 0.51 seconds to complete. And if we were to set this to five, we see that it took just about half the time in 23 seconds.
And it looks like the same number of ports were discovered as open. The next flag is the stats every flag, which will give us updates on the scan that is running depending on the time that we give it. So for example, if we set the flag stats every equals 5 seconds, we would get a status update every 5 seconds on what the scan is doing. So here we see every 5 seconds, it's telling us how much of the scan has been completed and the estimated time left on the scan.
Next up is a common flag amongst many different tools, which is the -v or verbose flag. This is going to give us more detailed output as the scan is running. And for the most detailed output, we can use the -v or very verbose flag. So here we see with just the -v flag set, we have some more information about each time it discovers an open port while the scan is running.
And in this instance, the -v or very verbose flag is going to do something similar. If we want to adjust how long the scanner will initially wait for a response from a probe, we can set the initial RT timeout flag. So for example, if we set the flag to 50 ms, then the scanner would wait 50 milliseconds to receive a response from the target. RTT is the round trip time.
If the NMAP scanner doesn't receive a response within those 50 milliseconds, then the scanner will dynamically increase the roundtrip timeout to give the target more time to respond. This can have your scans end up taking a very long time if the max roundtrip time is too high and the scanner is waiting a long time to never hear back from closed ports. So to adjust the maximum wait time, we can set the max RT timeout time so that the dynamic increases by the scanner won't exceed the amount of time that we set here. So, if we only want our scanner to wait for a maximum of 100 milliseconds per request, we could set the max RT timeout time to 100 ms.
I briefly mentioned this earlier in the video, but if you want to set the number of packets that will be sent simultaneously, we can adjust this with the min- rate flag. So, if we were to scan our Windows host with a min rate of 300, we see it took us 5.52 seconds to complete. But if we were to raise that min rate to 10,000, we see this time it took only 0.59 seconds to complete. And then lastly, if we were to lower it to 20 simultaneous packets, it this time took the scanner 12.63 seconds to complete.
So these settings can really make a difference depending on the scope of the scan. The last flag that I'll mention for the performance option section that will also tie a little bit into the next section is the timing template or -asht flag. We can set the dash capital T flag to a number 0 through 5, which is going to slow down or speed up the scan depending on the number that we give it. Each number also has a name associated with it and a general use case, which I will throw up on the screen and summarize.
Now, the - T0 option is called the paranoid option. It's going to slow down your scan to just one probe at a time with long delays in between each probe. This is going to take your scan a very long time to complete and is really only going to be used by threat actors who have months to carry out their attack. You will most likely not be using this during a penetration test or network assessment unless you were tasked with simulating something like an advanced persistent threat.
The - T1 option or sneaky option is slightly faster than the - T0 option and is what you will most likely be using if you're attempting to remain stealthy during a penetration test. The - T2 is the polite option and is the best option if you're scanning fragile systems or production systems during a penetration test or network assessment. The - T3 option is the default option and this is what is used if you don't specify any timing template in a normal scan. The - T4 flag will scan a little bit faster than the default and is called the aggressive scan template.
This should really only be used for local area networks and stable networks with short response times. Lastly, the - T5 option is called the insane scan template. It is going to scan the network extremely fast with a higher likelihood of missing things. I wouldn't really recommend going over - T4 if you're on the same network due to the higher potential of - T5 to miss true positives like ports that are actually open.
Let's quickly compare the scan times of each timing template while just scanning three ports on my Metasloable 2 server. All right, I'm going to stop the -asht0 or paranoid option because it still hasn't completed scanning three ports. After 10 minutes, my lock screen is even coming up. So over 10 minutes to scan just three ports is ridiculously slow.
So I do not recommend using the - T0 option during a penetration test unless you absolutely have to. For example, if you have to mimic an advanced persistent threat. Now let's try the -asht1 or sneaky option against the same three ports. This time we're going to use the stats every equals 5 seconds flag so that we get an update every 5 seconds on how close the scan is to complete.
So, it looks like the T1 or sneaky scan was able to discover those three ports in just over 1 minute, which is significantly faster than T0 because after 10 minutes, we still haven't had the scan complete. So, let's see how this 1 minute scan compares to going up one tier to the polite option or T2. So, looks like dash T2 was an even more significant jump from 60 seconds to just under 2 seconds. Now we have - T3 or the default time template which completes in26 seconds.
Now let's try dash T4. This one completed in 0.18 seconds. And then -ash T5 or the insane option completes in around the same time as - T4. Once again, these scan times would be more significant depending on the scope of the scan.
The larger the scope, the more of a difference you'll see. Now that we've covered the majority of end mapap's most useful flags, let's talk about some of the best flags we can use to evade detection. Piggybacking off of what we were saying about the timing templates, you're going to want to run your scan with the time template of at least - T1 to decrease the chance of your scan being detected by an intrusion detection system or another piece of equipment. Next, to potentially aid in evading getting blocked by firewalls, NMAP's TCP act scan or the - S capital A method is much harder to filter for firewalls in IDS/IPS systems than regular SIN scans or full connect scans.
TCP act scans will only send a TCP packet with the ACT flag set. And packets with the ACT flag set are often passed through the firewall because the firewall cannot determine whether the connection was first established from the external network or the internal network. So, when doing an AXT scan, we want to look for the RCVD packets or receive packets in the output. Open ports scanned with the - SA argument may respond with reset flags, and ports that are scanned that do not receive anything back are likely being dropped by a firewall.
Several virtual private servers or VPS's with different IP addresses are recommended when doing NAP scans for a penetration test when you're outside of the network. That way, if one of your servers gets caught scanning and is blocked, you have others to rely on to continue scanning. We can also use NMAP's decoy feature to send packets with randomly generated IP addresses in the IP header to disguise the origin of the packets being sent. Our real IP address will be one of these packets being sent.
So for example, we could use the - capital D R&D col 5 to generate five packets with random IP addresses and one packet with our real IP address for each packet that we want to send to the server. It's worth noting that the decoy IP addresses should be alive in order to not set off any sin flooding security controls. Lastly, we can also set a source port to scan from instead of end mapap choosing one at random by using the flag-source-port. If the firewall rules of the organization we're pentesting are not set up properly, they may allow traffic from TCP port 53 because this is the default port for DNS.
So, if we set our source port to be 53, we may be able to bypass firewall or IDS filters. That's it for this video on end mapap. If you enjoyed or found this video useful, please leave a like because it helps the channel out a lot and subscribe for more cyber security content. If you want to talk about cyber security, feel free to leave a comment or join my Discord to reach me and the rest of my community.
Thanks for watching and I'll see you in the next one. See you.
The video introduces Nmap, a powerful network reconnaissance tool that allows users to scan networks, identify connected devices, discover open ports, and find vulnerabilities. It demonstrates how to use Nmap on Kali Linux, starting with scanning for active devices using the -sP switch and then identifying open ports with the -sT switch. The presenter also explains how to conduct stealth scans with the -sS switch to avoid detection and how to determine the operating system of a device using the -O switch. Additionally, the video highlights Nmap's scripting engine, which enables users to run vulnerability scans using specific scripts, and encourages viewers to explore Nmap's manual and documentation for further learning.
Nmap, short for network mapper, is a network reconnaissance tool that allows you to scan an entire network, find out what devices are connected to that network, the operating system those devices are running, find out what ports are open, and even find vulnerabilities that you can exploit. And in this video, we'll explore how to do all of that, so let's start. Now, the great thing is that Nmap comes pre-installed on Kali Linux, meaning that we can just start using it without having to worry about the installation. So, let's do that real quick, and our first task is to start by finding which devices or hosts are connected to the network we are currently connected to.
For this, the command will start with Nmap, followed by a space, and then we are going to use a switch -sP. Here, S stands for scan, as we are scanning a network, and P stands for ping, as we are automating the process of pinging devices connected to our network. Next, just enter the IP address of the network that you want to scan. Mine is this one right here, and you're good.
Now, just hit enter, and Nmap will start scanning for active devices connected to the targeted network, and done. So, as you can see, it shows that there are a total of five hosts up on this network, indicating that I have five active devices currently connected to the network I'm on, and the local IP addresses of these devices can be seen up here, one by one. So, that's basically how you can discover the devices connected to a network with Nmap, but as a hacker, how can we search for the open ports of these devices to identify potential entry points and vulnerabilities? Well, it's actually pretty easy.
For this, we are going to type sudo space Nmap, and now we are going to be doing a TCP connect scan, so we'll use the -sT switch, where T is standing for TCP, and finally type in the network's IP address. Then, hit enter, and boom. So, as you can see, we are now presented with a list of all the devices along with their ports on this network. But, how can we search for some specific ports for service identification, like port 80 and 443, to see if there are any web servers available on this network?
Well, that can be done by adding a -p switch here, right after the -sT switch, and then specifying the ports you want to search for, like this. And upon hitting enter, you can see that it only searched specifically for the ports 80 and 443 on these hosts. By searching for specific ports in a network, a hacker or pentester can gather information about the services running on those ports and then proceed with vulnerability scanning targeted at those specific devices. Now, these are all closed or filtered as I don't have any web server on my network right now, but if there were any, both of these ports would be open.
All right, so now that we know how we can search for devices and their ports on a network, let's address a potential challenge here that we might encounter as hackers. You see, conducting scans like these on a network can trigger its firewall detection, exposing our identity and potentially causing trouble. To mitigate this risk, we need to adopt a more discreet approach during our scans. Luckily, Nmap provides a stealthy mode that can help us stay under the radar and we can activate this mode by replacing the dash ST switch with the dash SS switch, where S stands for stealthy.
By utilizing this technique, we can conduct our scans covertly and minimize the chances of detection. Now, wouldn't it be cool if we could also scan for the operating system running on a specific device that is connected to the network? Well, Nmap can also do that. And to do that, just copy the local IP of the device you want to scan, type sudo space Nmap space dash O, and then paste the IP of targeted device, and done.
So, as you can see, it did its best to guess the operating system running on this host and it is pretty accurate as the host that I scanned was actually a device running Windows. Now, if you open up the manual page of Nmap by typing man Nmap in your terminal, you'll notice that Nmap offers another cool option called the dash A switch right here. This is the aggressive mode of Nmap, enabling us to perform a comprehensive search that combines OS detection, protocol version checks, script scanning, and trace route. So, let's quickly give it a try and see what we find.
Now, this one took a lot of time, but we did find some useful stuff such as the SSH version being utilized and trace route data to determine the distance between the target device and our network. Now, the final thing that I want to show you is pretty awesome. So, Nmap can do all these amazing things that I just showed you, but it also has a powerful scripting engine, which allows us to write custom scripts for Nmap that can accomplish a wide range of tasks. You can find these scripts on the official Nmap website and I'll put a link to it in the description down as well.
Among the available scripts, the ones that are particularly interesting are all these scripts under the vulnerabilities category here as they allow us to actually scan a device or host for vulnerabilities that we can exploit. Now you have the option to run each script individually, but if you're like me and prefer efficiency, you can run all the scripts collectively on a device. And here's how you can do it. Type sudo space nmap space double dash script followed by the script name.
Since we want to utilize all the vulnerability scripts, we'll use vuln as the script name and then specify the device we want to search for vulnerabilities on. After a short while, if any known vulnerabilities are found, you can proceed to exploit them accordingly. So that concludes our quick overview of nmap and how you can utilize it. However, if you want to become a hacker, it's crucial to delve deeper into nmap beyond what we've covered here.
So I would encourage you to explore the manual page of nmap yourself, experiment with the various switches available there, and learn more about it through online documentation or various tutorials available on the internet. If you have any questions regarding the video, make sure to ask them in the comment section down below, and I will see you in the next one.
In this episode of the junior pentester training series, the focus is on using NMAP, a widely recognized tool for network mapping and security assessments. The video introduces live host discovery, explaining how NMAP helps identify which systems are online and what services they are running. It covers various scanning methods, including ARP, ICMP, TCP, and UDP, and emphasizes the importance of confirming live hosts before conducting port scans to avoid wasting time. The session is part of a broader series on NMAP, with future videos planned to delve into basic and advanced port scanning techniques. Additionally, viewers are encouraged to create a free account on TryHackMe for access to practical exercises and resources.
In this episode of the junior pentester training series, we are going to begin our education with NMAP. And the very first thing that we're going to do is live host discovery. Now NAP, if you've never heard of it before, stands for the network mapper. And this is one of those industry standard tools that pentesters across the board, doesn't matter where you're from or what you do, what level you're at, end mapap is kind of one of those tools that will end up becoming your best friend, especially as you go through network mapping, obviously since we're in network security and of course when you're trying to do any kind of active reconnaissance.
And it even has a lot of scripts internally that will allow you to find information about the operating systems or the services or the endpoints that you're scanning and even find vulnerabilities for them. So this is a really really good tool, very powerful tool. It's free, so you can actually install it pretty much on any machine. If you have Kali Linux installed, it will come pre-installed with Kali Linux and most distributions of Linux will also have it installed on there.
So really, really good tool. really powerful tool, one of my favorites, and it's one of those tools that uh has a graphical interface, but the real hackers, the real ones out there will only end up using the command line version of it. And I think there's even a website version of end mapap. I don't know exactly how functional it is and what you can do with it.
But I do know that there is a version of it that I think is accessible through a website. So, we'll find that out for sure. But for now, we're just going to be talking about live host discovery, specific to NM MAPAP, and we're going to go through the various types of scans that it offers to do live host discovery. The overview of our video today is going to be obviously the intro.
We're going to talk about sub networks, enumerating targets, discovering live hosts, the host discovery using ARP, using ICMP, using TCP and UDP, and then reverse DNS lookup. Then we'll do our summary. We'll do our wrap-up review kind of a thing and that'll be it. You'll be dismissed for the day.
Uh, this room was developed by Stratagos Strategos. Still don't know how to pronounce that. There was a really good comment that came in the comment section that was like, you know, it's pronounced Strategos or like they just spelled it out. And I was like, yeah, it's actually pronounced this way.
And I like I couldn't help but laugh cuz you can read it in either way. So, it's it's Anyways, I thought it was funny. Um, this room is free. This video that we're doing is inside of a free room with Tryh Hackme.
They've been doing a lot of good free rooms inside of the network security section here. So, anybody, as long as you have a username and password, you can get access to the virtual machines, the attack box, all that stuff inside of this room. There are hundreds of free rooms inside of Try Hackme. I highly encourage you to have at least a free user account with them.
And of course, there are going to be timestamps for everything that we talk about in this video today. So if you want to skip around and jump to any specific section, you can look into the description below and you'll be able to find the timestamp for that section. That being said, a quick note from Hackaholics Anonymous and we'll jump into it. If you're serious about your science education and you want access to me on Discord, consider joining Hackaholics Anonymous.
We have four tiers, the supporter, agent, guardian, and master. Each tier gets their own Discord server and early access to content. the agent, guardian, and master levels get exclusive content, exclusive downloads, monthly Python automations, live streams with me every month, plus so much more. And to join, you can simply click the link in the description below, or you can go to our homepage and click the join button there, or you can go to youtube.com/hankhackshackers/join, and you will be able to join hackaholics anonymous.
Now, without further ado, let us jump into NMAP live host discovery. There are two key questions that you want to answer when you're targeting a network. The first question is which systems are up? Second is what services are running on those systems and you want a tool that can reliably do that for you repetitively.
Meaning one after another it can reliably deliver those results to you. This specific tool is called NAPAP for me and for many other people in the offensive security world in pentesting and hacking. So the first question about finding live computers is answered in this video. And this is the first in four videos that's dedicated to NMAPAP.
And the second question about discovering running services is answered in the next videos that we're going to be doing right after this one. So the one that we're doing right now is N MAPAP live host discovery. The next video is going to be basic port scans. Then we're going to do advanced port scans.
And then we're going to do N MAP postport scans. So, in this video, we're going to talk about the steps that NM MAPAP carries out to discover the systems that are online before we start port scanning, right? So, you want to see whether or not they're actually online before you start doing everything else. Otherwise, you'll be wasting time and energy.
So, this is crucial because you want to try to do port scans offline or if you try to do port scans on offline systems, you'll be wasting time, right? As I just mentioned. So um we present the different approaches that NAPAP uses to discover these things and it's known as the ARP scan address resolution protocol. The ICMP and of course TCP UDP ping scans.
So the ARP scan uses ARP request the ICMP uses ICMP pings and of course TCP UDP uses packets for TCP and of course UDP ports to determine those live hosts. There are going to be two scanners specifically that we're going to be talking about. the ARP scan and the mass scan and we can explain or we will explain how they actually overlap which parts of NMAP's host discovery and as already mentioned we're going to be using end mapap to discover systems and services uh it's created by Gordon Lion just got kind of as like a backd dooror for you it's either Leon or Lion also known as Fiodor Fodor Fodor uh a network security expert and open-source programmer it was released in 1997 um it's short for network mapper. It's free.
It's open source, released under their GPL license. It's an industry standard. I mean, literally, I said all of these things. There's also the scripting engine that can further its capabilities and it can usually go through the steps that we can see right here.
It can enumerate targets, discover live host, reverse DNS lookup, scan ports, detect versions, detect operating systems, do trace route scripts, and even write the output into a report that you can use later. This is why we love N MAPAP. So some of the questions will require the use of a static site to answer the task questions while the other ones will require the use of the attack box and a target virtual machine. So the very first one for sub networks is the static site that we're going to be using.
So let's do that. Before we actually use it, we need to cover a couple of terms here. So a network segment, okay, also known as a subnet, is a group of computers that are connected using a shared medium. So for example, the medium could be an Ethernet switch or Wi-Fi access point in an IP network.
A sub network is usually the equivalent of one or more of these network segments connected together and configured to use the same router. The network segment refers to a physical connection while a subn network refers to a logical connection. In the following network diagram, the thing that we see down here, we have four network segments or subnets. And generally speaking, your system would be connected to one of these subnets or network segments.
A subnet or simply or subnet network simply known as a subnet has its own IP address range and is connected to a more extensive network via a router and there might be a firewall that enforces security depending on each of the networks. So in this specific network, so let's see if we can kind of look at this a little bit better. Maybe not. So I'll just keep it like this.
So uh we have network A, we have network B, C, and D. So network A are these computers right here. It looks like it has a router. Network B looks like they are data devices.
There's a firewall in here as well. And there's also a router. Oh, so this is actually a router. This is a wireless access point, I should say.
And then network C seems to also have a wireless access point. And then network D has another router, firewall, and several other devices in here as well. So we have a series of networks here. We have the IP address ranges that you can see right here.
So 101100.0/24. Now I don't want to get too deep into this because this is a specific like a networking conversation but you do need to know how to read network uh IP address ranges. So essentially when you see forward slash24 that means the first three octets. So let me kind of zoom in on this for you a little bit.
So the first three octets that let me my keyboard is not working. There we go. These three so the 10.100 are three octets. Each one of them represents octet.
So 8 uh bits I want to say. Um and so what that is is when you see a forward/24 that means 3 * 8 is 24. So the first three are assigned. That's the subnet.
And then the last position right here is what's going to be changing and alternating and creating a variety of IP addresses for this specific subnet right here. This one right here is 102006. And this 16 that you see represents the first two octets. So meaning these two are accounted for.
These represent the subnet or the segment. And then these last two positions will end up giving you a variety of different IP addresses. This one right here can have a maximum of 254 addresses. This one right here can have 254* 254, which is I think like 65,000 something.
So this one obviously gives you a much larger range of IP addresses that you can use. And then we have this one right here which is again another one 103200/24 right here. So this gives us the first three positions. The first three octets end up being the subnet or the segment.
And then finally we have the one up here which is another one that has the first two octets assigned and then the last two octets are assigned or available for IP address assignments. So we see two small network segments and two large network segments and this is all part of a very gigantic network. So it's probably like a an enterprise environment like a corporate environment right. So subnets with 16 which means that the subnet mass can be written as 255 255.
So the first two are taken the last two are open. For 24 it means 255 255 255 which means the first three octets are taken and the last one is open. So we can have about 250 hosts hosts for this one. And then this one can have 65,000 hosts.
So very very very large network. So you might want to refer to task two in the intro to LAN room if you have no idea what this means. Or at the very least go and watch the SCIC 101 playlist on the elements of subnets and networking. or just if you really want to get good at this, go through the CompTIA network plus playlist and you'll get a very good education on this as well as everything else that has to do with networking and it'll make you very proficient with NAPAP because NAP again is the network mapper.
So you want to know as much as you possibly can about a network, the infrastructure of it, the various elements of you know Ethernet versus IP address, the OSI levels, etc., etc. So there's a lot of stuff that is available to you that you should be looking at. Uh or is it OSI or ISO? I want to say it's OSI.
Um so anyways, uh as a part of active recon, we're going to discover more information about a group of hosts or about a subnet. And if if you're connected to the same subnet, you would expect your scanner to rely on address resolution protocol queries because the query itself looks for the MAC address. and a MAC address is on layer two before it actually gets to layer three which ends up being IP addresses. Right?
So the communication over the link layer becomes possible on this layer. However, we can use this to infer that the host is online and revisit the link layer. We're going to be doing that in a couple of minutes. So if you're in network A, which is this piece right here, this one right here with the subnet of uh 10 10100 allowing for the last octet to be available.
So if you're in network A, you can use ARP to discover the devices within that subnet, which is this right here. Suppose you're connected to a subnet different from the subnet of the target system. In that case, all packets generated by your scanner will be routed via the default gateway which is the router to reach the systems on the other subnet. The ARP queries will not be routed and hence cannot cross that subnet router because the ARP queries can only work on your local subnet.
ARP is a link layer protocol and the packets are bound to their individual subnet. So we're going to click on view site to start the network simulator and we'll use this to answer the questions in task 2 4 and five. So here we go. Send a packet with the following from computer 1 to computer 1.
It's going to be an ARP request and the data is going to be computer 6. And we're going to send that packet as we can see right here. How many devices can see that request? Did computer 6 receive it?
Send a packet with the following right here etc etc. So, I'm going to zoom out of my screen a little bit just so we can actually see it in split screen because this type of uh static site that we get actually opens up in split screen like this. So now we can see this this uh network diagram that we see right here and at the bottom we actually have these elements that we can go ahead and mess around with it. So the first question is asking us to go from computer one to computer one using an ARP request and the data is just going to say computer 6.
So right here we have computer one to computer one. We're going to change it to an ARP request and then the data is going to say computer 6. So there we go. We're going to send that packet and I should be going up here just to be able to see it.
So I wonder if it already sent it. So let me send it one more time. There we go. It sends it.
So you can see that it got sent out, right? And then that's basically it. It didn't leave the router, right? So we saw the blue dots came.
They went to these other ones. They even went to the router, but it didn't leave the router to get to switch two, which would end up being in this subnet that would connect to computer 6, right? So, that was it. So, we'll do it one more time, and then we'll go up here.
You see that the blue dots only go to and then the blue dot never leaves the router. So, it stays within this subnet. So, computers 1, two, and three got it. The switch got it.
The router got it, but the switch number two did not get it. Therefore, this segment did not get it. So how many devices can see that ARP request in this particular case if we're counting the router it would be four. So let's see that is the an answer specifically.
Did computer 6 receive the request? And the answer is no because it didn't even leave from the router to get to the second switch. Now send a packet with this following configuration. Computer 4 to computer 4 ARP request trying to get to computer 6.
Now, computer 4, as we can see, is in this subnet. So, computer 6 should receive that. So, we'll do computer 4 to computer 4, and we're going to send it. And then we can see that computer 6 indeed received it.
And then the computer 6 responded. So, you saw that, right? So, let's do this one more time. We're going to do it.
It sent it. And then computer 6 responds. And now computer 4 receives it, right? So, it's coming from computer 4 to computer 4.
We're trying to connect to computer 6. And then now we actually have something inside of the network log, too. The ARP response is, "Hey, computer 4, I am computer 6." So, that's computer 6 responding. And then this one, it says, "Hey, computer 4, I am computer 6 again." Oh, that's because I sent it twice.
So, that's the reason why. So, computer 4 sent the request and computer 6 actually responded. So, now in this case, it says, "How many devices can see it?" Again, it's four, right? But did computer 6 actually reply to the op request?
In this case, it did reply. So the answer to that would be yes. So excellent. Now we can zoom back in and go into the next piece which is going to be enumerating targets.
Now in the few tasks ago we looked at the various subnets right and we were talking about also the techniques that we can use for scanning them. But before we do that, we need to establish the targets that we actually want to scan. So we can provide a list in general, a range or a subnet in its entirety and say just scan everything inside of this subnet. So the examples of the target target specification would be something like this.
So a list would be you give it the IP address and then you give it this specific element right here and this specific element and it will give all of these things a scan. So technically we have three IP addresses that we're going to be scanning the actual IP that we've assigned this the one that we gave right here. It's going to also scan this website or whatever the IP address would be for this website and then it's going to also scan the IP address for the this website. So we're providing three different uh targets for it to scan.
When you do a range, you say I want you to do 10 11 12 15 220. So it's like 10.11.12. That's the subnet. And then you're going to say I want you to do 15 220.
And it will scan six IP addresses number 15 16 17 1819 and 20. So it includes this as well as everything in between as well as the last one. Right? So that's a range and then you say scan a subnet.
So the IP address and then forward slash30. It'll scan four IP addresses. Now this is kind of tricky. So this is the part that I wanted to make sure that I got uh a good understanding of when I was initially learning this networking and subnets and things like this.
So let's figure out why if we do forward/30 because so far we've done you know we've done forward/16/24 and that's a little bit easier to understand cuz you have an octet right so each one of these represent eight so if we do three of them that would be 24 if we do two of them that would be 16 so what does it mean when we do forward slash of 30 in order to understand this we need to first understand what c is and it stands for classless interdomain routing so interdommain domain meaning inside of the domain and there's no class assigned to it and it's we're routing it. So the forward slash30 in this particular case in this specific uh phrase right here is shorthand for the subnet mask. So that part we already know that this is the subnet mask that we're doing. So you could have a for/16 24 etc.
The part of the IP address that identifies the network is the network portion which is represented by that 30 and the host portion if part is part of the uh IP address that identifies the devices within that network. So the number after the slash indicates the number of bits right used for the network portion. So since an IPv4 address has 32 bits in total, the forward slash30 means 30 bits are already used for the network part and two bits are left for the host part. So 32 total bits minus the 30 network bits will leave us with two host bits.
Now how we calculate the actual number of hosts is since we have two host bits, it's 2 to the power of two. So whatever the uh the total number of IP addresses is the formula for it is it's 2 to the power of n and n is represented by the number of two host bits. So in this case the two is the constant right and so it would be left to the power of two. So 2 to the^ of two would be four.
If we had a subnet of 24 right here right so 32 minus 24 will end us with end up with eight. So it would end up being two to the power of 8 and it will give us let's I think it's like 256 or something like that. So the four IP addresses just to break it down even more. They always have specific roles.
So there would be a network address, a first usable host address, the second usable host address and the broadcast address. Now the first IP address in that range in this range of what's available here, it's usually identifying the network itself and can be assigned to a host. This is also known as the gateway address and it belongs to the router. Then the next one would be the host.
Next one would be another host and then the last one which is typically 255 ends up being the broadcast address meaning it sends out data. So it's the broadcast address and network address are always taking it up. So when we say that there is a total of 256 available, the first one is taken by the gateway. The last one is taken by the broadcast and then anything in between is available for hosts.
So 256 minus one and two will leave us with 254 meaning we have a possible 254 assuming that it was a forward/24 for that subnet. In this case it's for/30. We have a total of 32 bits. So 32 - 30 will leave us with two bits.
2 to the^ of 2 end up being four IP addresses. So out of the four IP addresses in that range, only two are actually usable for assigning two devices. So hopefully this now makes a little bit of sense for you or it makes more sense. Hopefully it makes more sense.
So we can also provide a file as the input for a list of targets. So you can do N map uh lowerase I capital L and then give it a list of hosts inside of a text file. If you want to check the list of hosts that it'll scan, you can use N mapap lowercase S capital L and then give it the targets. And this option will give you a detailed list of the hosts that end MAPAP will scan without actually scanning them.
So NAPAP will attempt a reverse DNS resolution on all the targets to obtain their names. Names might reveal various information to you as the pentester. If you don't want to go to the DNS server, if you don't want NM map to the DNS server, then you can use the lowercase N so that it doesn't resolve names. So, we're going to launch the attack box, which I've already done.
And I'm going to open a terminal and use N map to answer the following question. So, if I scan this, so number one, and I feel like it should be kind of already noticeable for us, right? Cuz it says uh it's giving us a forward/29. So we know if we do 32 minus 29 it's a total of what 3.
So 2 ^ of 3 I want to say is what is that? Eight, right? So what would be the the first one that it would scan? It should be if I'm going to I just want to guess it before I do this.
It should be nine cuz the first one would end up being um the gateway. So I think it would be nine and it's not. So would it be eight? It is eight.
Okay, great. All right, so that makes sense. So that would be the first one that it would scan, right? Because we would have technically 10 10 12 and then we're giving the first 32 bits are already taken or excuse me, the first 29 bits are already taken.
So inside of this whole thing, the first 29 bits are taken, which actually takes into this octed as well. And we're left over with three. So 32 - 9 g uh 32 - 29 gives us 3. 2 ^ of 3 would give us 8.
So that would end up being 10 10 12 and 8. So what I want to do is actually scan it. So I want to actually run end mapap to scan it. So let's open up our split view here and go to the attack box that's right here that's already launched.
And I might need to zoom out to make this functional here. So that's the Oh, there we go. That's the attack box. And then we're going to open this up in a larger screen.
And then we're going to shrink this back down. And then zoom back in here. And so we're going to go ahead and scan this specific network segment. So I'm going to copy this.
Go here. And let's close this out. Close this out. And open our terminal.
And very, very simply, we're just going to do end mapap. And then we're going to paste that address that we had. Press enter. and it starts scanning.
So, scanning uh end map done, eight IP addresses, zero host up, scanned in 00 seconds or whatever, whatever. Um, didn't really give me much, but it did give me the fact that it scanned eight IP addresses. I could do I believe I could do for/v for it to give us a more verbose output. So, there we go.
When we use verbose, it actually gives us the IP addresses that it's scanning. So the very first one that it scanned is 10 10 12 8 and then 9 10 11 12 13 14 15 and that was it and they were all down. So they're not working because obviously it was uh dead. We didn't launch any kind of a virtual machine to do this.
It was just we're trying to figure out what it would scan. So how many IP addresses will end mapap scan if you provide the following range 1010 and then 255 right? Is that 10 * 10 0 255 and then it goes from 101 to 125. So it includes 101 and it includes 125.
So it this doesn't make sense actually cuz this part is kind of confusing to me. This piece right here is confusing to me. So let's actually go over here and let's just do end mapap and see what the result would be cuz that's the piece that's a little bit bit bit interesting. Oh, interesting.
because we're getting for this octed we're actually giving it a range and then for this octed we're also giving it another range. So if I press enter it should be down but it should give us how many that it actually scanned in a couple of seconds so that it'll just calculate it for us. But that's the part that was kind of confusing to me was this piece right here because this is actually for this octed is giving us from 0 to 255 and then from this one is from 101 to 125. So you would end up multiplying that.
You would multiply them together. And interestingly enough, this was actually open. That's interesting. So which one is it?
This is the report for 10 101 131 1119. That one was actually open. And the one above it is also open. Interesting.
So okay, how many it scanned? 6400 IP addresses were scanned and 125 of them were up. So, if we scroll up here, we actually get to see all the ones that were up. So, interestingly enough inside of that range.
I don't know what what uh whose IP range we just scanned cuz I didn't launch any kind of a virtual machine. So, interestingly enough, that actually worked. So, 6400 would end up being our answer and we actually got some results, which is kind of interesting. All right.
So now let's go to discovering those live hosts. So we did enumerating of the target. So now we want to discover the live hosts. All right.
Now we're going to look at the TCP IP layers. And so we have the ARP, ICMP, TCP and UDP. So from the bottom up. So we can see right here, right?
So this is the ISOsi model. And this is typically this is the more modern version. The TCP IP is a more modern version of this. But still in a lot of networking conversations they refer to the OSI model uh more than anything else because it's the seven layer model.
It starts from the bottom to the top. So everything starts from the physical layer and the physical device connected to a physical cable that's being drawn from outside or it's you know being drawn from uh your router or from your modem and it's going outside right and then it connects to the the big cables outside etc etc. So from the physical layer it goes to the data link layer and the data link layer is the layer where your ARP protocol works from and then this is where MAC addresses come into play and then it goes from here to the network layer and on the network layer is where IP addresses come into play and then the transport layer. This is both across the board.
Same thing over here. And of course uh when we look at the TCP IP, the equivalent of the first two, the physical and the data link are just known as the link layer in TCP IP. So it covers the ARP, Ethernet, Wi-Fi, DSL, Bluetooth, all of those things are covered in this section. And then where IP addresses come into play would both be on the network layer.
So we have IPv4, IPv6, ICMP, IPSC, etc. And the transport layer on again is the same on both of these. And we have the TCP UDP protocols. And then on OSI you have five, six and seven all being a part of when the data is being presented on the receiving side.
So you have the session that's generated data is now formatted for proper presentation and it's presented through some kind of an application. Let's say the web browser. Okay. All of this is combined into one and it's for the application layer.
And inside of this again we have HTTP or HTTPS. We have SMTP POP 3 which are both related to email. You have IMAP and you have SSH, FTP, SNMP tell and then all of the other protocols that essentially come through a variety of different ports that are presented on the application layer. So TCP and UDP feeds into these various ports and these various protocols.
So you have a bunch of TCP ports, a bunch of UDP ports, and the way that they present data to us and how we use them through our application layer, whether it's email or web browsing or watching a video, etc., whatever it is. So this is just a very like very surface level overview of the OSI model or the TCP IP model. But you need to understand that it starts from the link layer or the physical layers and then it goes to the network layer and then it goes to the transport layer etc. So knowing this right keeping this in mind then we're going to be talking about how scanners can actually use each of these in detail.
So these four protocols specifically the ARP layer uh ARP being that it has the single frame or the single purpose of sending a frame to the broadcast address on the network segment and asking the computer with a specific IP address to respond by providing the MAC address of that computer. So we know by you you know uh address resolution protocol essentially is very similar to what we saw earlier in that one exercise the static website it sends it to everybody right that ARP request is sent to everybody and then all of the computers or the machines on that network segment are going to respond saying that this is my IP address and then after that it'll be stored in the table of the data including all of the MAC addresses and their associated IP addresses And then from that moment on, anytime that another ARP request goes out, it says for this specific IP, I know that it has this MAC address. So I need this specific IP to respond. Okay, so this is all done on the data link layer or the link layer as we can see right here.
Okay, ICMP has many types. So it uses type 8 for ping echoes and type zero for echo replies. And if you want to ping a system on the same subnet, the ARP query should precede the ICMP echo. Again, because it's on the same subnet, so the ARP can just communicate with it.
You don't need to do a ping to the IP address. And then TCP and UDP are transport layers, but for network scanning, a scanner can send a specially crafted packet to the most common TCP or UDP ports. They call it the top thousand, but it doesn't necessarily mean the first thousand in the range of 65,000 plus ports. It doesn't necessarily mean that it's the first thousand.
They're just talking about the top or the most common uh thousand ports to check whether the target will respond. And it's sufficient especially when ICMP echo is blocked. So if we've closed the network simulator, which I did, um but we can click on view site in task two again to display it again. And then we can go through the rest of these things.
So technically, I think I can just still do split view. And it's super zoomed in. So I got to zoom back out again. Um, and now it's inside of the the attack box.
Look at how zoomed in that is. Is my keyboard working? Why is my keyboard not working? So let me see.
There we go. Okay, there we go. So we can zoom out a little bit and then we can go back to the network simulator, which is what we have right here. And so we'll use this to answer the following question.
So first it says, send a packet from computer one to computer 3. So, we know they're already in the same subnet. We're going to do a ping request for the packet type. And what's the type of packet that computer one sent before the ping?
So, I already know that it's an ARP, but let's check it out. So, it's going to go from computer one to computer 3. And we're going to do a ping request and no data needs to be submitted. We're going to send it and we'll see that it sends it, right?
And then computer 3 will actually respond. But then what we can see right here and it's continuing, right? So first it sent the blue packet and then it sent the ping packet. Right?
So if we go look at this down here now in our network communications. So first it sent an ARP request and then the computer responded with a ARP response. Then it sent a ping, right? And then the ping was also done in several packets that were sent or several log items that were sent.
But the first type of packet that was sent, it was the ARP request, right? So first it does the ARP and then after that it does the ping. Now what is the type of packet that computer one received before being able to send the ping? And that was the ARP response.
So how many computers responded to the ping request and that was one because it was just sent to computer 3 and because they're on the same subnet it found it immediately and from there it was able to respond immediately. So now what we're going to do is we're going to send it from computer 2 in the first subnet to computer 5 in the second subnet. And now we're going to do again the same ping request. So I'm going to do this computer 2 up here and it's going to go to computer 5.
And this would work the same way if we chose any of the computers in this subnet to go to this subnet. It would still be the same concept. So now we're going to do a ping request again. We're going to send packet.
Go up here. So it sends it right now. The router responded saying that this is not in my network. So, it's going to send it to this subnet and then computer 5 is going to respond and then the ping is going to go to computer 5.
Computer 5 is going to respond and then from there the ping is going to go to computer 2. So, first there was an ARP, right? There was the blue dots, the ARP request that was sent and then the ARP response came from the router saying that this is not in my situation. It's not in my subnet and then or I guess it's not in this this switch's subnet.
So the router said I need to communicate you. I need to route you to this other subnet. And inside of this subnet computer 5 then responded with a blue dot. So it was another ARP that was respond and then from there it sent the green dot which was representing the ping packet.
So we see it right here ARP packet ping packet. Right? So we saw that. So now it says what's the name of the first device that responded to the first ARP request and that was actually the router that responded.
Right? So, what is the name of the first device that responded to the second ARP request? And that was computer 5 that actually responded. And we're going to send another ping request.
Did it require new ARP request? Now, here's the interesting thing. Same thing, right? Same configuration.
So, we're going to send another one, but they already have communicated with each other. So, you notice it just sends a green dot and they immediately responded back to each other. Because the ARP table has now been built because they sent those blue dots. we now know which MAC addresses belong to which IP addresses.
And then from there, you don't need to redo another ARP request to find the IPs, right? So, it now has that table and it knows that, oh, okay, I need to just send it to the IP address for this computer. So, I'm going to match it up to the MAC address for it. I no longer need to do an ARP request.
So, no, it did not send a new ARP request, right? So it builds those tables unless you clear that ARP table and you just clear it out and start from fresh. It's not going to send any more ARP packets. And the main reason for this is to like make the communication between the networks more efficient and faster, right?
You like if you had to send ARP requests every single time, it would be very inefficient and relatively slow. It's this is all happening in a matter of seconds anyways. So it would just be relatively slower. Anyways, that is our exercise for that one.
And hopefully that was that was kind of fun for you. I I like seeing these types of communications. So, so hopefully that was as fun for you as it is for me because I am very much a nerd and these types of things geek me out. I nerd out over these kinds of things.
So, let's do the end mapap host discovery now. So, going back to the beginning of this video, it's very important to avoid wasting time with port scanning if you don't even know if the host is online. So, if the host is offline, you're literally wasting time and energy and processing power and all of that. So, the first thing is we need to find out what host is actually live.
What hosts are up and running. And there are a few ways that we can do this. When there is no host discovery options, end mapap will follow these specific pro protocols. So when a privileged user, so pseudo user tries to scan targets on a local network, end mapap uses ar request, a privileged user would be root or somebody that's on the pseudo list and can run the command pseudo.
When a privileged user tries to scan those targets outside of the local network, NMAP uses ICMP echo requests, TCP acknowledge or to that that goes to port 80 or TCP synchronized to port 43 and ICMP timestamp request. And when there's an unprivileged user trying to scan the targets outside the local network, it uses the TCP 3-way handshake and it sends a full set. So it sends the SIN, SIN acknowledgement, and acknowledgement, right? So all of those things are actually they need to be completed.
It's a full connect scan that's being done and it goes to ports 80 and port 43 443 excuse me. So by default using a ping scan to find live host and then proceeding to scan live host is what end mapap does. And if you want to use it to discover online host without port scanning the live system you can issue the SN so it doesn't do a port scan and then you just give it the targets. So we'll see what that actually is.
So ARP is possible only if you're on the same subnet at the target system. We already established that on Ethernet 802.3 and Wi-Fi 802.11. These are just standards and you will become very familiar with them if you're not already. These have to do with again networking concepts.
So you need to know the MAC address of any system before you can communicate with it. The MAC address is necessary for the link layer header. The header contains the source MAC address and the destination MAC address. to get the MAC address, the operating system sends the ARP query and the host that replies that to the ARP query is actually up.
So if the host replies, we're assuming that the host is up and running. The ARP query only works if the target is on the same subnet as yourself. So we're being redundant right now by saying this over and over and over again, but it's important for you to understand. ARP only works if it's on your subnet or your segment.
So on the same Ethernet Wi-Fi is what we mean. you should expect to see many ARP queries generated using uh during an end map scan of a local network. If you want to only perform an ARP scan without port scanning, you can then use the PR option and then the SN option. So, it's PR combined with SN and where PR indicates that you only want to do an ARP scan.
The following example shows NAP using ARP for host discovery without any port scanning. So again, N map PRSN the machine IP and then forward/24. So in this particular case, we're doing we have this subnet established. So we're doing the first 24 octets is already established.
So we're only scanning the next one. And so we have pseudo end mapap and then we're doing the ARP and then we're doing uh no port scanning and then we're giving the assignment to it and then it'll just do and see whether or not these things are up, right? And so it tells you this host is up, this host is up, this is up, this is up, etc. So the attack box had the IP address and it used ARP request to discover the live host on the same subnet and it scan works.
The ARP scan actually works. As you can see, this is what it kind of looks like. If we wanted to look at what the dialogue would be between the two endpoints. So you have the requesttor being this.
It sends the ARP request and then this replies and the host is up. That's it. We don't do anything else. There's no back and forth.
If you did a TCP, we would send one, this would reply and then we would send another one. That would be the full TCP connect scan. So, if we look at the package generated using a tool like TCP dump or Wireshark, we will see network traffic similar to the figure below. And in the figure below, Wireshark displays the source MAC address, destination MAC address, protocol, and query related to each request.
The source address is the MAC address of the attack box while the destination is the broadcast address as we don't know the MAC address of the target. However, we see the targets IP address which appears in the info column and we can see that we are requesting MAC MAC addresses of all the IP addresses of the subnet starting with and the host with the IP address that we're asking about will send an ARP reply with its MAC address and that's how we know that it's online. So you see it, right? The broadcast address is sending everything.
Hey, who has this? Who has this? Who has this? Who has this?
Who has this? And then it says, tell this one, right? So whoever has this, tell this. So it's sending all of those requests out just because it wants to know what the responses are and which MAC address belongs to which IP address, right?
and the source MAC address. You can see right here, this is the source MAC address that's broadcasting these ARP queries to all of these different destinations trying to build its table of MAC address IP address combinations. To talk about these things or talking about these things, we should mention that a scanner built around ARP queries is also known as ARP scan. It has a lot of options to customize it and you can go to their wiki for detailed information.
One popular choice would be the local net or simply arpscan-l and it'll send queries to all the valid IP addresses on your local network. Moreover, if your system has more than one interface and you're interested in discovering the live host on one of those interfaces, you can specify using the capital I. So for instance, pseudo arpscan capital i and then you give it the interface name and then you do the -l so that it knows that it's doing it on the local network and it'll send queries for all the valid IP addresses on the eth0 interface. It's not installed on our attack box but it can be installed using apt package installer using apt install arpscan.
So in this example we're using ARP scan and since we ran this at a time frame close to the previous one we did uh or two codes to the previous one that we did right here we obtained the same three live targets. So pseudo arps scan etc. And then again it gave us the three live targets starting da da da and then it said these are the IP addresses for these MAC addresses. Four packets received zero were dropped.
This is assuming that this was actually done right and that's basically it. That's all we got. So the command arcs scan will generate many ARP queries that we can see using wireshark etc. And then you can see that the packet capture for arcs scan and end mapap yield similar traffic patterns.
Same MAC address. So let's not zooming in. So same MAC address sending broadcast ARP protocol. Who has this?
Who has this? Who has this? Right? And then there was an announcement for this.
This is what I'm trying to do here. Who has this? Who has this? Who has this?
So this is what it's basically doing, right? Same thing. The concept is that we're trying to achieve the same result here. It's just it can be done with two different tools and it'll essentially yield the same type of traffic generation.
So we're going to go again look at the network simulator and we're going to be sending broadcast ARP request packets with the following options. Computer one to computer one, ARP request and data. Try all possible eight devices other than computer one in network two. So computer or in the network computer 2 computer 3 computer 4 5 6 D and D.
How many devices are you able to discover using ARP requests? I'm just going to take a guess here and I'm going to say three. That is the answer cuz it it only has that many devices inside of its network. So it's sending it from computer one to computer one.
That's the thing. It's like it's communicating to its own subnet. So that was I mean we'll do it. I'll still do it, but I just know that there were three devices inside of that subnet.
So it's like that's literally the only response that we should be getting. So uh let's zoom back out and then go to the split view here. And we're now going to do from computer one, right? From computer one to computer one ARP request.
And then we're just going to try to connect to all the different ones. So we're going to do the first thing, right? So ARP request and then I'll do like computer 3, right? So let's do computer 3.
And if I press enter, it doesn't work. So I have to actually press this button. So it sends the packet, right? It's trying to communicate to computer 3.
Computer 3 will actually reply. That's the ARP request. Now, if I do computer 5, which is outside of that subnet, it's trying to communicate to this computer right here. Right?
It's not going to work because I'm only doing an ARP request. I'm not doing a ping. The ping will travel across the MAC addresses and it will use the IP addresses to establish that connection. It's not going to work if I do anything else.
Right? So the only response that we will actually generate would be from computer 2. So let's do computer 2, right? Computer 3.
So it'll send it. Computer 2 is going to respond. There you go. And then we're also going to send it to the router because the router is technically there as well.
or not the router I think it's the switch excuse me so the switch will send it and data in what ARP request and the data needs to be in a valid device it says oh switch one excuse me so it needs to be switch one so send it and it'll send it and there you go so switch one didn't it didn't even reply right and so then we can do router come on I can't spell for some reason and so there we We go. It sent it. And the router should actually reply. So there we go.
So we got three replies, right? We have a total of three replies cuz we're not sending it to our own computer one. So we're going to send it to computer 2, computer 3. Switch one didn't reply and the router did reply.
So now we have three replies that were generated. And that was what I guesstimated, which I mean it was like a very educated guess, but yes, it was technically still a guess. Okay, so let's now talk about the host discovery using ICMP. As we established, ICMP does the ping, right?
So ICMP sends out a ping echo and it requests a reply via ping. So we can ping every IP on a target network and see who would actually respond. Um although this would be the most straightforward approach, it's not always reliable. Many firewalls block the ICMP reco uh echo, excuse me.
New versions of Microsoft Windows are configured to block it by default. Remember that the ARP query will precede that ping. So to use that request to discover the live host, we can do the dash PE. So remember the SN if you don't want to do a port scan.
So we could just do PE to just discover the live hosts using the ICMP echo. So this is what it would do, right? So this is the command. Oh, I'm super zoomed in.
So this is the command nm mapap pesn if you don't want to do a port scan and then you just do it. So it'll send the echo request and it'll get some kind of echo reply. If it does get the echo reply then we can estimate that it's up. If it's been filtered through a firewall it won't be up or if it's actually turned off or disconnected from the network it also won't be up.
So in the example below, we we scan the target subnet using that specific command and it'll send IPMP ICMP echo packets to every address on the subnet. We expect live host to reply. However, it's wise to remember that many firewalls block it. So the output below shows the result of scanning the virtual machines class C subnet using pseudo end mapap.
And so class C is just another thing that they're dropping in to let you know that it's this type of a subnet, meaning that the first three octets have been determined to be the subnet itself, the network segment. And then the last octet is available. So that's a class C. If there was 16 right here, that would be a class B.
And then if it was eight, that's basically an internet service provider and it's a class A. and they have like I think like millions if not it's probably like in the tens of millions of IP addresses that are available. So let's see if we can kind of zoom out of this to make it a little bit more legible here but it doesn't seem to be the case. So I'm just going to actually do this.
There we go. So now we have a little bit of a better view for us. So this is what it would look like. You do pseudo nmap pesn and then you give it the octet or the subnet that you want to scan and it'll do it.
So host is up. post is up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up up all of them are up and then it gave us the MAC address of course that we sent out and that's pretty much it. We just did ping requests that were sent out, but it also replied with the individual MAC addresses for all of them as well. And it just told us, right, it's up, right?
So, it shows that the eight hosts are up. Moreover, it shows that their MAC addresses. So, generally speaking, we don't expect to learn MAC addresses of the targets unless they are on the same subnet as our system. And it indicates that NMAP didn't need to send the ICMP packets as it confirmed that these hosts are up based on the ARP responses.
So again, remember those blue dots, the ARP ARP responses or ARP requests sent out first. And if they're up and if they actually reply, it doesn't need to do the ping because it just knows that they're up and they are on the same subnet is what we can also conclude with this because if it doesn't do a ping and it gets the MAC addresses and it tells you that it's up, you can assume that it's on the same subnet. So we can repeat it. Now we're going to scan from a system that belongs to a different subnet.
And now you get to see something different. It says the report for this IP address is up. And so now it's measuring everything in IP addresses instead of MAC addresses. So if we see something like this in fire wire wire, excuse me.
Uh we can see that we have more uh we have one source IP address on a different subnet than the destination and then sending echo requests to the all the addresses in the subnet to see it. So you can see the source is the same IP. The destination is different IPs. They're on the same subnet, but they're different IPs.
The protocol is no longer ARP. It's ICMP because it's actually sending a ping. And then the info says ping request, and they're all requests that are being sent out because it's going from the same source to different destinations. Now ultimately when we keep measuring it and then we would end up seeing all the replies that came in you would see that the the source would be these IP addresses and the destination would be this singular IP address and all of these would end up being replies instead of requests.
So because the ICMP echo requests tend to be blocked you might also consider the timestamp or the ICMP address mask to tell if a system is online. The end map uses timestamps on ACMP type 13 to check whether it will get a timestamp reply which is would be the type 14 and adding the PP option tells NAPAP to use the timestamp request and we can see that right here. So you're doing PP no port scan and you're sending a time stamp request. You get a time stamp reply and if you do that means that it's up.
So this is what it looks like over here. Same thing right? get the IP address and it's up but basically the command has changed pseudo and map ppsn and then you give it the target. So we can see again that we have the same source going to a variety of different destinations ICMP the timestamp request is now inside of the info and these are all requests because these are all going from the same IP to the same destination.
Once these people started replying then we would get timestamp replies. So end mapap uses address mask queries. So type 17 and checks whether it gets an address mask reply which would be type 18 and it can be done with the -pm. So very similar except now we're just doing -pm instead of pp.
And again we're not doing any port scans. And so we run it and this is what it would look like in this particular case. Now it says end mapap is done. 256 IP addresses, zero hosts that are up.
So based on early scans, we know that at least eight of them are up, but this one returned nothing. And the reason is that the target system or a firewall on the target system is blocking this type of ICMP packet. Therefore, it's essential to learn multiple approaches to achieve the same result. So we already know, right?
We knew that there were eight targets that were up, eight hosts that are actually up. But because we're now doing this other type of scan, we actually get blocked by the firewall. So it's always important to understand and always important to try different approaches just to make sure that you actually are getting the information that you need. So even though we didn't get a reply and we couldn't figure it out, we know that this ICMP address mass request to every valid IP and waited for a reply was actually sent.
So we can see again address mask request was actually sent to all of the other uh target addresses. We just didn't get to see them. So each one of them was sent twice as we can see in the screenshot. And we can see what is it?
It goes 1 2 3 4 5 and it goes all the way to 10 and then 1 2 3 4 5. So it's sending it twice because it didn't get the response that it wanted. So what's the option required to tell Nap to use ICMP timestamp to discover the host? And that was the - PPP I want to say.
And oh, it's not. It's not. Oh, I got uh I got kicked out. If it does unauthorized, that means I got kicked out, which is always so weird.
I don't understand how I get kicked out. I'm literally here. I haven't logged out. So, why would I get kicked out?
So, let me I'll refresh it and I'll log back in. Okay, so here we go. Let's try that again. So, we'll do - PP.
Press enter. And there it is. Okay, so the time stamp and then what's the option required to tell it to use the address mask and what was the option for address mask? PM.
There we go. So the PM I'm guessing it stands for mask. So PM and that would what? Oh, I put it in the wrong one.
Excuse me. So this one is PM and echo would be P E. And that's the one for that. Okay, great.
So now we can move on to host discovery using TCP and UDP. Now this one in particular, this specific section, it is a little bit more involved than what we're going to be getting in this just little task that we have over here. So we're going to do an overview, but then as we go through the rest of the end map videos, we're going to go deeper into this. So there's something called a sin ping or a sin scan, I guess we can say.
So, we would send a packet with a synchronized flag that's been set and it would go to port 80 by default and we'll wait for a response. The open port will send an SIN acknowledgement. If it's closed, it would send the reset packet. So, we can only check whether we will get any response to infer whether it's actually up.
That's pretty much it. We're not going to get much information about the individual ports. Right? If you get a full TCP 3-way handshake, right?
So, this is what a full connect scan will be done. And if you don't set any kind of flags, by default, end mapap will do a full connect scan. So, TCP 3-way handshake sends a synchronize request. So, it'll send a synchronized packet.
The server will respond with the acknowledgement. Okay, I acknowledge that you want to synchronize with me. And then the client will say, okay, I acknowledge your acknowledgement. And then this is the completed handshake.
And when we do this, we receive a lot more information about this target server or the target host, whatever it is, than we normally would if we just sent a regular SIN scan. So if you want to use the SIN ping, you can do the PS or you can do the S. Uh, actually technically, so the SIN ping is not a SIN scan. I should be uh I should be clear about that.
So my apologies for that. So if we do a capital PS followed by the port number range or list or whatever. So for example PS21 will just scan the port 21. 21 to 25 will scan all of them.
Right? So 80 443 and 8080 will just scan these three. So you need to use the uh the pseudo command in order to do this because this is technically one of the stealthier scans that's done because we're not doing a full three-way handshake. So because of that that fact we are going to need uh privileged uh permissions.
We need to use higher admin or root privileges to be able to pull it pull it off. Therefore it needs to be either root or pseudoers or or excuse me pseudo uh or you need to be like an admin if you're running it on a Windows machine. Unprivileged users have no choice but to complete that three-way handshake. So this is again when you use those specific flags and you don't want to do a port scan, you just send the SIN packet, it responds with the acknowledgement and then we close it by sending the reset packet so that it doesn't establish that full connection and it's quieter.
If we establish a full connection, it's much louder when it comes down to intrusion detection systems. So we want to be quiet, especially when we're trying to be stealthy and we don't want to get detected. So we're going to run this again to scan the target VM subnet. As we can see in the output, we would get the host is up responses based on whatever the query was, whatever the command was.
So if we look at what we get to see inside of Wireshark, we'll see that we didn't specify any TCP ports. So in that scan, it just used the common port. So for example, port 80 and any service that was listening on it was expected to reply. So you can see that it's coming from 6 61429.
Uh it doesn't really zoom in here. So let me just manually zoom in here. So it's coming from our source IP going to these various destination IPs. It's automatically just trying to uh connect to port 80 which is the default that it tries to connect to.
And all of these packets that are being sent are the sin packets that are being sent. Right? So same series, you can see that it's all the same series of IPs that are trying to be connected to and it's just sending these multiple packets because it wants to establish at least that initial are you up conversation. Then we have the acknowledgement ping.
So first we talked about the sin ping and then we would do the acknowledgement ping. So this sends a packet with the act flag set and you would be again running NMAP as a privileged user. If you do it with no privileges, then it'll just again try to do a full TCP 3-way handshake. So, by default, port 80 is going to be used.
But again, we can just assign the ports that we would want for it to be scanned. And this is what it would look like. It would just send the acknowledgement. And then this thing will just send a reset.
And this is a this is kind of where we conclude whether or not it's open or closed. is like it's not the most definitive type of a response that we would get because the target will respond with the RST flag set because when we send with an act it's not a part of any kind of ongoing connection. So the response is determining whether or not it's up but it's kind of hard to see whether or not it's up but end mapap will just determine that it's up. So you send it with the flag set, the PA flag set for ping acknowledge and then it just responds.
And this part is kind, it was always confusing to me because it's saying right here, where is it? It says it's either open or closed. So the TCP port is either open or closed. So end mapap just assumes that it's up if it doesn't reply with closed or if it doesn't find out that it actually is closed.
It'll just assume that it's up. And so this is similar, right? Same source, various destinations going to port 80. Just the only difference that we can see right here is that instead of a sin flag, it's all act flags that have been set.
And then we have the UDP ping. So the UDP to discover if the host is online. Contrary to the sin ping, sending a UDP to an open port is not expected to lead to any kind of a reply. If we send a packet to a closed UDP port, we expect to get an ICMP port unreachable packet.
So if we don't receive the port unreachable packet, we assume that it's up and running, right? So So So uh in the following figure, we see that a UDP packet was sent. So this is what we get, right? It was sent.
UDP port is open. We get this one is sent. UDP packet is sent and it replies type three or whatever. So UDP port is closed.
This leads to ICMP destination being unreachable. Right? So the syntax would be the -pu for ping the UDP. And again this is what we would get over here in this particular case.
If we inspect the packets that have been sent, we can see that it's sending the UDP to the UDP ports and they're most likely closed. The image below shows that it uses uncommon UDP port to trigger an ICMP destination unreachable. So we can see this right here and it really doesn't show us much. It's just showing that it's being sent to the common UDP port and or the uncommon UDP port which is 40125.
It's like a very uncommon UDP port. And that's basically it. And then we have mass scan. A different tool.
It uses a similar approach to discover the available system to finish this network scan quickly. It's quite aggressive and the syntax is very similar, but being that it's aggressive, we can expect that it's going to be louder and more, you know, triggering more alerts on the intrusion detection. So, mass scan, machine IP, port 443, 84, etc., etc. Top ports like the top 100 ports, etc.
It's not installed on the attack box, but it can be installed using the package manager AP. And depending on the distribution of Linux that you're using, your package manager might be different. So, it's not always apt. It could be yum, it could be, I think, dnp something like that.
There are a few different package managers. It just depends on the distribution of Linux that you're using. So, which TCP ping scan does not require a privileged account. And this is the TCP um I guess I'm am I doing like the full thing because it's going to be the the TCP connect scan.
That's the full one that we're using. So which TCP ping scan does not require a privileged account. This feels wrong. Uh it says TCP ping scan does not require a privileged account and the answer is TCP sin ping.
However, uh if we go read through this documentation again, this is like this is the piece that I'm like, okay, what's happening? So, what does it say? It says the uh the privileged users can send TCP send packets and don't need to complete the three-way handshake even if the port is open. Unprivileged users have no choice but to complete the three-way handshake.
And this is what I find kind of confusing about this because uh with all of it with everything that we just talked about TCP send ping we can send it by default wait for a response da da da close port which is all in this case we only care d and that's basically like there's nothing else that it gives us over here and it I don't know when you say that it requires privileged users and they don't need to complete the three-way handshake in order for this to work it you're implying that it requires pseudo users. It requires privileged users, but the answer or the question phrasing is that it does not require privileged account. So, that part is kind of confusing to me. I guess this this was like something that I didn't I wasn't sure whether or not would be the answer, but I guess that's the answer.
So, which TCP ping scan requires a privileged account? So all of them all of the ones that we just talked about would require a ping uh privileged account. So if we do let's say an act ping that would be yeah what option do you need to add to end mapap to run a TCP sin ping scan on the tnet port. So it would be dashp uh s and then tn net port would be 21 or 23 excuse me there we go.
So 21 is FTP, 23 would be Tnet. All right. So let's talk about using reverse DNS lookup. NAPAP's default is to use reverse DNS online hosts because the host names can reveal a lot and this can be very helpful.
So if you don't want to send these types of queries, you would use the dash N to skip to skip the name, right? So N for name or you can do N for numerical. Whichever one helps you remember that. You don't necessarily need to remember all of this stuff.
You can always refer to the manual to figure it out. But that I try to kind of like connect something to it so I can remember it. So by default, NAPAP will look up online host. However, you can use the option -ash r capital R to query the DNS server even for offline hosts.
And if you want to use a specific DNS server, you can add the DNS server and then or the DNS servers option with the actual DNS server uh assigned to it. and you'd be able to do it. So, uh this was very very short little section that we have. So, it says we want N mapap to issue a reverse DNS lookup for all the possible hosts on a subnet hoping to get some insights from the names.
What option should we add? So, we want to issue a reverse DNS lookup and we want to do it. So, this can be helpful. However, if you don't want to send such DNS queries, you would use this.
So to query the DNS server for all the possible hosts on a subnet. So let's try to do - r and there it is. Okay, great. Cool.
That's it. And we are now going to do a quick review. So we went through a lot. Uh we've looked at ARP, ICMP, TCPN, UDP, and how they can detect live host by going through this video.
Any response from a host is an indication that it's online unless it's like an offline kind of a response or I don't know a dead uh response. Um below is a quick summary. So this is what we have. So we have the ARP scan that you can do with this command.
ICMP echo scan timestamp all of these things. This is basically what we just covered so far. And if you want to do SN, you just want to make sure so that you uh if you don't want to do port scanning, you would do SN is essentially it. So omitting the SN will make N MAPAP actually default to port scanning.
And then what it'll do is if you don't specify the ports that you want it to scan, it'll scan the most popular thousand, the top 1,00 ports. So dash N would be no DNS lookup, - R is reverse DNS lookup, and SN is host discovery only without doing any kind of a port scan. So that's basically it. And again, this is one of the free rooms that's available.
So you can go through this to establish your own notes or if you want to come here and look at all these commands to save them for yourself in a file. I highly recommend it. Or you can always just launch the attack box and from there do the manual of end map. Go look at man end mapap and then look at all the different options.
Obviously you can download it on your own computer and go look at all the different options. So there are so many different ways that you can find it. You can always Google what the end map manual looks like. There are a lot of different ways to do it.
And this is one of the tools that in pen testing you're going to use almost every ca like all the time. If you're doing pens testing against a network, against a host, against a subnet, a device, anything that's digital and it's not a physical pentest, you are most likely going to use end mapap. Like guaranteed. I don't know anybody who doesn't.
Like seriously, I really don't. And it's one of those tools that is so profound, so functional, and there are so many ways that you can use it for so many different purposes that you want to get good at this. So, if this is your first time being introduced to NM MAPAP, stick around and watch the rest of the series as we go ahead and build the the rest of these videos out. And I promise you, you will not be disappointed.
This will be something that you will be very, very happy that you went through and you will use NMAP. I'm telling you, you're going to use end mapap as you go into your pen testing journey, your ethical hacking journey. So, we're going to click submit and we are good with this one. And I got to close down the machines that we got and we'll do a quick little wrap-up.
If you got value out of this video and if you want to get more videos like this one, then I encourage you to like, subscribe, and turn on the notification bell so that you get notified the next time that a video comes out on this channel on this pathway, the junior pentester playlist that we're building out. And if you're more interested in getting more pentest stuff, then there's also the CompTIA Pentest Plus playlist that I'm also building out. And new episodes for this one drops out. It drops every single Friday, right?
So every Friday there's going to be a new episode coming for the CompTIA Pentest Plus until we finish that up and then we have a completed playlist for that and then from there we'll just move on and we'll build more playlists with more cool content. Network Plus is already done. We talked a lot about networking today and this is a comprehensive playlist training series for CompTIA Network Plus. People have used it to pass their exams so it's legit and you'll get a lot of value out of it.
Uh this is exclusive to Aolix Anonymous. We have Security Plus that's already done. We have Linux plus that's already done and of course sciC 101 and if you haven't gone through that then I encourage you to go through that as well. It's really really strong for foundations.
Then we have the members only section. We have sock level one level two security engineering the posts that go public on the post section of our channel and then you can always go to this little search button and search for something in particular to find more information about that specific topic. So, if you have any questions or comments, drop them in the comment section below. Otherwise, make sure that you like, subscribe, and turn on notification bell so that you get notified the next time that a video comes out on this channel on this pathway.
It's your boy Hank Hackers and it Hank Hacks Hackers, your favorite networking system attacker/protector. If no one else loves you, Hank loves you. Love, peace, and chicken grease. And I'll see you in the next video later.
In episode 25 of the junior pentester training series, we are going to continue with our network security module and we're going to learn more about NAP. And in this particular video, we're going to be talking about the basic port scanning capabilities of NAPAP and how we're going to do the NMAP TCP connect scan, the TCP SIN port scan, and of course UDP port scans. And this is all available through the Tryh Hackme platform. And this specific room, as you can see right here, uh, is going to obviously provide the introduction for us.
We have TCP, UDP ports, TCP flags. These are just kind of explanation portions just so you understand what they look like and what you're looking for when you do your scans. And then we have three virtual machines that have been assigned to us that we're going to use to get the connect scan, the SIN scan, and the UDP scan completed. And then from there, we will talk about fine-tuning and scope performance.
And of course, the summary and final thoughts. and all of that good stuff and then you will be dismissed for the day. And so the room is again available through the Tryh Hackme platform. It was created by Stratagos or Strategos.
Still don't know exactly how to pronounce their username, but shout out to that person for creating this room for us so that we can use it. This is a subscriberonly room that's available in Try HackMe, meaning you actually do need a paid membership. However, if you have NAPAP installed on your own computer or if you have Kali Linux, which I love, and we're going to be using a Linux machine that has N Map installed on it, you can then just go ahead and run along with me as we go ahead and do these scans, and then you'll be able to practice NAPAP on your own computer. So, this isn't necessarily mean that you need to have uh try hackme.
I will say that when you do your end mapap scanning, just do it against your own cell phone or your own, you know, other computer. I have multiple computers inside my studio. So, uh, do it against your other computers or do it against your cell phone or another machine that you have. Don't do it against somebody that hasn't give you permission to do it.
And this is the reason why I use Try Hackme or services like Tryh Hackmely because the fact that they provide these virtual machines for us to scan without getting into legal trouble because again it is a felony and it's a it's a big issue if you do this without permission. So just wanted to give you that full disclosure. But apart from that, it should be a pretty straightforward video today. It should be a pretty straightforward episode and hopefully you will get a lot of value out of it.
A quick shout out from Hackaholics Anonymous and we'll dive deep into the contents. If you're serious about your SCIC education and you want access to me on Discord, consider joining Hackaholics Anonymous. We have four tiers, the supporter, agent, guardian, and master. Each tier gets their own Discord server and early access to content.
The agent, guardian, and master levels get exclusive content, exclusive downloads, monthly Python automations, live streams with me every month, plus so much more. And to join, you can simply click the link in the description below, or you can go to our homepage and click the join button there, or you can go to youtube.com/hankhackshackers/join, and you will be able to join hackaholics anonymous. Now, without further ado, let's jump into the end map basic port scans. Okay, so this episode is the second in the end map series.
So, we did the live host discovery in the very last episode. Basic port scans is what we're going to be doing today. Then the next video is going to be advanced port scans and then the postport scans. So in the previous video, the one that we did right before this one, we have covered the focusing on online systems, right?
And now we're going to have three steps in this particular process, which is the enumeration of the targets, discovering live hosts, and of course reverse DNS lookup. So this is what the full thing looks like here. I'm kind of zoomed in on the screen, but enumerating target, discovering live host, and reverse DNS is basically what we talked about previously. So now we're going to go into actually scanning ports.
So the next series of steps would be the port scan for TCP connect port and then we have another one for the SIN port scan and then we have the UDP port scan. So you have TCP connect and SIN which are essentially scan types and then we have the UDP port scanner which is essentially a different protocol on the transport layer that we will be using to try to find open ports. So we are going to discuss the different options to specify the ports that we want to scan, the actual rate of the scan, and of course the number of parallel probes that should be sent out that will make the scan go a little bit faster for you and all of that stuff will be discussed in addition to actually doing these types of scans that we have. Sorry, I kind of went off the screen here.
So we're going to launch the attack box, which I've already done. The virtual machine is also launched. The very first target machine is also launched. So we should be ready by the time that we actually get to that portion of it.
And now let's dive into the difference between TCP and UDP ports. Okay. So here's the read through. In the same sense that an IP address specifies a host on a network among many others, a TCP port or a UDP port is used to identify a network service that's running on that host.
So a server provides the network service and it adheres to a specific protocol. An example would be the time for example responding to DNS inquiries or serving web pages. A port is usually linked to a service using that specific port number. So for instance HTTP would bind to the TCP port 80.
This is a default port for HTTP communications via TCP. If HTTP supports SSL or TLS, which is the secure version of HTTP, then it would be on port 443, and it converts it into HTTPS, which is what you see right here. So, in conjunction to these ports, port 80 and 443 are the default ports of HTTP and HTTPS. However, the web server admin might choose other port numbers if necessary because it's pretty well known in the networking world that 80 and 443 are relative to HTTP and the secure version of it.
So maybe the network admin or the web server admin wants to be more secure, so they change it from the default ports into a different port. So no more than one service can listen on any TCP or UDP port on the same IP address at least. Right? So we have 65,000 plus ports that are available on every single IP address.
And so if you have, you know, more than 65,000 services running in your uh company, then maybe you should use multiple IP addresses. But pretty much on any given IP address, you have a 65,650 something like that. It's I know it's more than 65,000. That's that much.
which I know for sure and they're a combination of TCP and UDP ports. So at the risk of oversimplification, we can classify the ports in two states. You have open ports that indicate that there's some service listening on the port and then you have a closed port that indicates there's no service listening on the port. Now this is again an oversimplification.
There are uh filtered ports, right? So if they're behind a firewall, it could be open, but the firewall might be blocking the packets. Therefore, NAPAP considers the following six states. It has open, it has closed, it has filtered, unfiltered, open filtered and closed filtered.
So open is the services listening on the specified port. Closed indicates that there's no services listening on the port although the port is accessible, right? So it's closed, but it is accessible. By accessible, we mean that it's reachable and is not blocked by a firewall or other security appliance, right?
So if you see closed, it's accessible. It's just there's nothing listening on it, right? Filtered means that Nap can't determine if the port is open or closed because the port is not accessible. So it's usually due to a firewall typically preventing NAP from reaching that port and the packets may be blocked from reaching the port.
Alternatively, the response are blocked from reaching NMAP's host, which essentially says that it's filtered. If we see filtered, it typically means that it is open, but it's sitting behind a firewall. It's not the case all the time, but that's kind of what it means. Unfiltered means that NAPAP can't determine if it's open or closed, although the port is accessible.
This state is encountered when using the act scan, also known as unders uh what is it lowercase s uppercase a. And then we have the open filtered and closed filtered. So open filtered means that N MAPAP can't determine whether the port is open or filtered. Closed filtered means that NAPAP can't determine whether it's closed or filtered.
Right? So these are the six states. For the most part I have seen these three pretty much all the time. Um unfiltered I really don't see.
Open filtered or closed filtered I rarely see but I usually do see open closed and filtered pretty much all the time. So which service uses UDP port 53 by default? And I just know this off top of my head. And so that would be DNS as long as my keyboard works.
There we go. So DNS. Which service uses? 22 by default.
That would be SSH. And how many port states does N MAPAP consider? Six total port states. And which port state is the most interesting to discover as a pentester?
And of course that would be the open port state. Now when you see things like this, the 53 by default or 22 or whatever it is, these are things that I have seen so many times that I know what they are off top of my head. But it wasn't like that at the very beginning. I you know studied networking.
I even launched a networking course CompTIA network plus that's available on this uh pl on this channel. So you can go ahead and check that out. And it's like a really good it gives you a good overview introduction but then it also goes into the deeper and more advanced topics behind networking. and it has practical videos and a bunch of other stuff as well.
So, uh for for your intensive purposes, uh you can always find cheat sheets of the most commonly used ports and you can find out what services are running on those ports and you can just Google them. There are so many free ones that are available and I highly highly recommend them. So, if you don't know what these ports are off top of your head, it would be something that you should consider studying because it would help you become a better security professional, a better hacking professional, so on and so forth. But anytime that you do a scan, if you see that a port is open and you don't know what it is, you can always just Google it and then based on that, you can continue the rest of your reconnaissance.
Okay, so let's talk about TCP flags. to be able to understand the different types of port scans that are available, we need to first understand what a TCP header is and we need to review the portion of the TCP header that is relevant to this and that's actually the first 24 bytes of a TCP header. So the figure that we have below right here is going to show us uh the TCP header as defined in the RFC 793 and RFC 793 is basically a code. So this is what is this?
We have the data tracker uh data tracker.f.org and then they have this uh this document that's available for us that essentially outlines this thing for us and it's an internet standard. So the RFC stands for let's see if we can find the acronym here um for transmission control protocol is TCP of course RFC let's see I can just probably Google this and I can just do this right here and then we'll search Google for it to see what it stands for transmission control protocol RFC what does RFC stand for uh it's the internet standards however uh I'm just trying to find out what RFC stands for bro so let's see let's we might actually have to do it what does RFC FC stand for there we go for in networking we'll even get more specific with that so it stands for request for comments oh my god really seriously dude so it stands for request for comments RFC's are a series of documents published by the internet engineering task force and other standard bodies that describe protocols concepts and methods related to internet and yada yada yada okay so RFC 793 is basically an internet standard that has to do with transmission control protocol and it's a request for comments I guess something that people can add their stuff to. So anyways, um this figure may look sophisticated, but it's pretty simple to understand. In the first row, we have the source TCP port number and the destination port number, which is this piece right here.
So source port and destination port. So where it's coming from, where it's going, that's basically what it is. We can see that the port number is allocated 16 by 16 bits, which is two bytes. So this line, let me see if I can kind of zoom out of this so you can see the full thing.
So you see it goes from zero and it goes all the way to the end right here. And this is 32. So we have 32 bits in total. And so 32 bits each uh each bite is 8 bits.
So if you have two bytes that means it's 16 bits. So the source port is 16 bits and the destination port is 16 bits. So you can see that right here. Then we have a sequence number and an acknowledgement number.
So we can see the port number is allocated da da in the second and third rows we have the sequence and the acknowledgement number. Each row has 32 bits or four bytes that are allocated to it with six rows totaling making up 24 bytes that are available. So we have 1 2 3 4 5 6 7 this is actually seven row. Uh so I guess not counting the ports at the top we should have 1 2 3 4 5 6 technically I guess.
I don't know if that's what they meant but that's basically what it is. And then at the very very bottom, you can also see this piece right here. It's kind of harder to see, but it says byte 0, by one, bite two, and bite three. So it starts with the index position zero, which is typically what it's done in coding and networking.
So you can use it essentially the same way. If you're familiar with coding, uh you can hopefully just decipher that. But really, it's not really complicated. It's just instead of starting at one, it starts at zero.
So bte zero would be index position one or index position zero I guess but technically it's the first position and then you have one two and three and each bite is eight bits as you can see that's pretty much it right that's all you need so what we need to focus on are the flags that end mapap can set or unset and we've highlighted the TCP flags in red which are the these pieces right here so notice that they are assigned one bit each so if the URG flag or The urgent flag has been set. That means there's been one bit that has been assigned to it. You have the acknowledgement flag, the push flag, the reset flag, the sin flag, and the FIN flag that have been set. Right?
So if you set the flag, it means that you're setting the value to one. From left to right, you have these. The urgent flag indicates that the urgent pointer filed is significant. The urgent pointer indicates that the incoming data is urgent and that a TCP segment with the URK flag is processed immediately without consideration of having to wait on a previously sent TCP segment.
So, as the name implies, it's urgent. Process it before you do anything else. Right? That's what we're telling the network.
The act flag also known as acknowledgement indicates that the acknowledgement number is significant if it's if it is used to acknowledge the receipt of or it is excuse me not if it is it is used to acknowledge the receipt of a TCP segment. Push flag asks the TCP to pass the data to the application promptly. The reset flag is used to reset the connection or basically end the connection. Another device like a firewall might send it to tear a TCP connection down.
This is also used when the data is sent to a host and there is no service on the receiving end to answer. The synchronize flag is used to initiate the TCP 3-way handshake and synchronize sequence numbers with other hosts. The sequence number should be sent randomly during the TCP connection establishment. And then the FIN flag is when the sender has no more data to send.
So it's finished, right? you're finished sending data basically. So what three letters represent the reset flag? That would be the RST.
Which flag needs to be set when you initiate a TCP connection. The first packet of the three-way handshake. And that is the synchronize flag that we need to set. So let's now do the connect scan.
So now we're actually going to do a scan with end mapap and we're going to try to establish the connect scan. The connect scan works by completing the three-way handshake. Okay, so this is what the three-way handshake looks like. So you have the sin flag, the synchronized flag that's sent first.
It's sent from the client, which is you in this case, and it's being sent to the server. Okay, the server will respond with an acknowledgement. It says, I acknowledge your synchronization. So sin and act are both set.
So the first one that's sent just has the sin flag sent. The next one that comes back has sin and an acknowledgement both set. And then finally the client will send another one saying final acknowledgement. Great.
And once this one is sent and received on this end, we now have a completed three-way handshake and the TCP connection has been established. So when the TCP connection is established the it's the loudest uh type of scan that we do with NMAP. However, or and I should say not necessarily however. It's like it is the loudest one, meaning that it shows up on network scanning and network monitoring devices because we're literally establishing a full connection with the end server and the agent is going to be end map.
So, they're going to be alerted and it's a very loud scan and uh the reason why we do this is because this is the most informative scan that we can do. So, if we do a TCP connect scan and we actually establish a connection with the server, with the host that we're trying to connect to, we're going to get as much information as we possibly can using end mapap. So, it is the loudest. It's also the most informative.
And so, if we do something that's quiet, so for example, doing a stealth scan, then we're not going to get as much information, right? So that's the the key element of doing a full connect scan versus just doing a stealth scan. The stealth scan will tell you, okay, I think these ports are open, it's not as reliable. A TCP connect scan, it's already established a full connection.
So when it tells you ports are open or s something is filtered or whatever, that's the most reliable information that you can get. Right? So uh we're interested in learning whether the TCP port is open, not establishing an actual connection. Hence the connection is torn as soon as the state is confirmed by sending a reset acknowledgement and you can choose to run a TCP connect scan using the lowercase S uppercase T.
So this is what it will look like right? So when you do lowercase S uppercase T sin is sent acknowledgement are received acknowledgement is sent and at the same time the reset acknowledgement is sent just to tear down the connection so that we're not fully connected to this thing or stay connected to it because again it's just too loud. But even in this case it's still going to be loud. So let's just be very clear about that.
when you receive the SIN acknowledgement and you complete your connection to it, you are doing the loud loudest type of scan that's available. So, if you're not a privileged user, pseudo or root, a TCP connect scan is the only possible option that you can use to discover TCP ports because when you do a sin or like a stealth scan just by itself, you need to have root permissions or admin privileges to be able to do that kind of a scan. So, this is what Wireshark will actually show us when we have a packet capture window. We see that end MAPAP is sending TCP packets with a SIN flag sent to these various ports.
By default, N MAP will attempt to connect to the thousand most common ports unless you uh declare otherwise. A closed TCP port responds to a SIN packet with an RST acknowledgement and to indicate that it's not open. This pattern will repeat for all of the closed ports as we attempt to initiate the three-way handshake. So, we can see this right here.
So, let's zoom out a little bit. So, we can see this right here, right? So these are the source IP addresses which is essentially us right and we're sending all of these SIN you see these SIN packets that you see right here we're sending all of them from one of our ports to these other most common ports so you have 443 143 256 888 445 etc etc port 80 which is HTTP right so it's sending all of these requests for synchronization to all of these destination ports and then the 25227 IP that you see right here it starts responding right so when you See reset acknowledgement that means that this is closed right? So reset acknowledgement from 443 means 443 is closed.
256 is closed. 8885900 these are all closed. Right? And if you see that it receives is the port right here.
So from the destination right now it or from this initial host that we're trying to connect to. Now it's the source meaning that it's communicating back to us and it's saying that port 143 is actually open because it's saying synchronization is acknowledged. You see that? And then now we send another packet back to it.
And then it's a final acknowledgement packet and again it's on port 143. So we are now establishing the connection on port 143. We have a full connection established and the three-way handshake has been completed. Right.
So 143 is open. It replied with send acknowledgement. Nmap completed the three-way handshake by sending the final acknowledgement. And it shows all the packets exchanged between the host and the target on port 143.
You can actually filter your connections as you can see right here by looking for that specific IP address of your destination host or the target host. And we're just looking for port 143. And then it only shows the packets for that. So you can see sin was sent, sin was acknowledged, acknowledgement was sent, and then the reset was sent to tear that conversation down, to tear that connection down.
So to illustrate what this actually looks like, this is what the terminal command line would be. Nmap st and then we would connect to the target host in this case and then from there it will respond to us. So it says, you know, 22 is open, 25 is open, 80, 111,143, 9993995. These are all open and it even gives you its best guess on the service right so secure shell uh SMTP which is for email that's used HTTP which is for uh you know internet connection or web browsing uh RPC bind IMAP IMAP sop 3s pop 3 is pop 3S is also used for email so typically SMTP and POP 3 are usually together so anyways these are just the open ports that are available the states as you can These are all open states.
And then we have the services that are assigned to them. And then you can just go further and do all these different types of scans that we'll talk about later to get even more information about each one of these open ports and what type of services and versions are running, so on and so forth. So we can use the capital F, so - capital F to enable fast mode and decrease the number of scan ports from the thousand most common to the 100 most common. And if we use the dash r, you can also do that to scan the ports in consecutive order instead of random order.
And it's useful when testing whether ports open in a consistent manner. For instance, when a target boots up, we just want to see if the port is connecting in a consistent uh consecutive order. So what we're going to do now is we're going to launch the VM, which I've already done, and we're going to run this scan on the virtual machine. and a new service has been installed on this VM since our last scan as shown in the terminal window above.
So since this scan basically we're trying to see what the new service is and what the port number is assigned to it and what's end mapaps guess about the newly installed service. So let me just open this up in a split view and it will open it up in a full screen right here to make it a little bit easier for us. And what we're going to run is essentially an ST scan against this IP address inside of the terminal. So let's go ahead and open up the terminal.
We'll drag it to the left a little bit so I can kind of zoom in on this a little bit easier and move around a little bit easier. So here we go. So we're going to do end mapap ST and then we're going to paste the IP address that we want to scan. Press enter.
It runs very quickly. So what do we have? We have 22, 25, 80, 110, 111. I think it's 110 actually cuz 110 was missing.
So, it's POP 3, which is the unsecured, unencrypted version of POP 3s. So, I believe it's 110. So, let's go ahead and look at the results here. Yeah.
So, 110 is missing. So, we can go over here. The port is 110, not one, not There you go. 110.
And then the answer, the best guess here is POP 3. and on port 110. This is the default port for POP 3, which is the post office protocol that's used for email. So now we can move on to the next one actually.
So before we do this, I need to start the next machine. So I'm going to terminate this machine and we're going to go ahead and start this machine so that it loads while we read through the instructions here. The sin scan is also known as the stealth scan. So when we do the sin scan, we're essentially doing the opposite of what a full connect scan would do.
We're trying to be stealthy. We're trying to not make a lot of noise in the network monitoring logs. So it doesn't complete the three-way handshake. Instead, it tears down the connection as soon as it receives a response from the server.
So you just send the SIN flag, the SIN packet, right? And because we didn't establish the full TCP connection, this decreases the chances of a scan being logged. And we can select the scan by using the lowercase S uppercase S option. And so this is what it looks like, right?
So SIN flag is sent. The server responds with the acknowledgement, but then we immediately send a reset flag and we tear down the connection. We don't send that final uh acknowledgement to complete our three-way handshake. Therefore, there is no final there's no official connection that's established and so it's not as loud.
Right? So, this is the screenshot that shows the sin scan. So, again, SIN packets are sent out and then this is our IP address. This is the destination IP.
The destination IP then starts responding to us. And so, on this one, it sends the reset. So, we know that this is a closed port. Then on port 25, it actually sends a sin acknowledgement and immediately we respond back with a reset flag to close that connection.
And essentially the same thing goes on for port 80 as well. So it responds saying that port 80 is open, right? So it says I I acknowledge your connection. So if it says sin acknowledged, that means that port 80 is open or port 25 is open.
It's just that we never send that final acknowledgement to do the the the official connection, right? So the difference would be this specific screenshot that we see right here. So in the upper half of it, we can see the full connect scan using ST. In the lower half, we'll see the SS, right?
So this is what the screenshot looks like. This part right here is the full connect scan. So it sends a sin, we send the sin, they send sin acknowledgement, we send acknowledgement, and then we send reset. On this one, we send the sin, they send sin acknowledgement, and we immediately send the reset.
So there is no full connection that gets established. So it's the default scan mode when running end mapap as a privileged user. So you have to use pseudo to be able to run it. And it's a very reliable choice because it again it will respond with the sin acknowledgement to imply that it is open.
It's just that we don't get as much information about our target as we want to. So everything that we found with the TCP connect scanned uh can be found except we just did not establish a full TCP connection. So this is what we see right here. Uh same thing 225 80 110 11143.
These are the things that were open for this specific IP address. This is the new IP address that I just launched. So, what we're going to do now is we're going to run a sin scan against that IP address and we're going to try to see what the new port is uh that has been opened and what the service name would be for that one. So, I'm going to just copy this IP address right here and we're going to go back to our end map instance in our terminal here and we're going to run it again.
And so it's going to be lowercase S, uppercase S, and then we're going to paste the IP. Press enter. It'll run. There you go.
So 22 25 80 110 111143 da da da da. This is the new one. So 6667 and IRC would be the best guess here. So and then the best guess is IRC.
There you go. And just like that, you were able to run a SIN scan, a synchronized scan just by itself. You didn't establish a full TCP connection. So now, in order to pull the next one off, we're going to terminate this virtual machine and we're going to move to the UDP one and we're going to start that.
So let's read through the UDP connection. UDP is actually a connectionless protocol. So, I should have probably said it that way, but um TCP is usually the protocol that's used when you want to do an official connection to a destination and then you want to make sure that everything is delivered and you receive everything. So, for example, let's say file transfer that you're doing between uh an uh a cloud drive, right?
Let's say Google Drive. So, you're trying to transfer a file to Google Drive. you need a TCP connection to that specific domain on the port that's being used to transfer that file because you want every bit of that file to be transferred to the Google Drive. UDP doesn't require a full connection.
So UDP is used for music streaming or for video streaming and things like that. So you will sometimes receive um messages or not messages I should say data that's not full. So for example when you connect to Netflix sometimes or YouTube or something like that it's going to be via the UDP and then you'll see pixelated images right before the connection is fully established and you're receiving all of the data in its entirety for the first 5 to 10 seconds or something like that. you might receive a low quality image until it establishes a stronger connection even though it's connectionless.
It gets like a a stronger connection to the UDP port and so the images now become a little bit more fine-tuned and higher quality but it doesn't require a full connection because it doesn't really matter. It's just a video, right? It's not it's not that big of a deal. And in that same spirit, in that same breath, we can say that TCP is slower, UDP is faster, which is why you need UDP for video streaming because it would be it would take too long for the file to become available, for the stream to become available if you were using TCP because it requires that full connection.
UDP doesn't require a full connection. Therefore, it starts streaming right away and it ends up being faster, right? So, that's kind of like my overview of this for you. So UDP is a connectionless protocol.
It does not require any handshake for connection establishment. We can't guarantee that a service is listening on a UDP port and it would respond to our packets. However, if a UDP packet is sent to a closed port, an ICMP, so internet control messaging protocol, an ICMP port unreachable error type 3 code 3 is returned and you can select UDP using SU. Moreover, you can combine it with another type of TCP scan.
So this is what it looks like. Basically, it sends a UDP packet. That's it. There's no response.
There's no uh there's nothing that we receive from the server. So, if the UDP port is open, no response is expected from it. If the UDP port is closed, then we will get a response saying that the port is unreachable. So, that's how we conclude that it's closed.
If we don't get a response, we conclude that oh, it's open because it didn't explicitly tell us that it was closed. So as shown in the figure below, we can expect to get an ICMP packet destination unreachable if the port is unreachable. Right? So we send a UDP, it sends the ICMP type 3 code 3 UDP port is closed because it's the destination is unreachable.
That's how we determine whether or not it's open or closed. So in this capture we can see that every closed port will generate the ICMP packet. So these are this is us on the first column. This is them.
We're sending UDP packets. We're sending them to all these different UDP ports and then the ones that are actually closed, they respond with destination unreachable, right? Very, very simple, really straightforward. So using the scan would require pseudo again and then you would do su.
And interestingly enough, I didn't use pseudo in this one when we were doing the SS and it still worked for me. So it implies that I'm already logged in as a pseudo user. So just keep that piece in mind because usually it won't work. It will respond that you need to use pseudo to be able to run it.
So this is just automatically implying that I am a pseudo user. So um what is it? Uh we learned that port 111 was open. So uh running the UDP scan against Linux.
Um we learned that 111 was open. NAP cannot determine whether UDP port 68 is open or filtered. So if we do the SU scan right here, we can see open filtered for this 68 UDP 111 did return to be open. Right?
So we're going to now run a UDP scan and we're going to do the fast mode right here with the capital F and then we're going to do verbose to get a verbose response to see the results of the various port scans as we run it. So usually I actually recommend running the -v at the very least just so you can get the status of end mapap as it's working. Otherwise it'll just return whatever ports are open or closed. So in this particular case we will do the su the f and the v and we're going to connect to this specific IP which is the new machine that we launched.
So let's go here and let's zoom in and then we're going to clear the screen and we'll I'll do pseudo end map. Let's see if it's going to work. So, su-f. And I'm going to paste the IP address here.
Let's see if it'll ask me for a password. It doesn't. I'm already I'm a I'm an admin. That's basically what it says.
So, notice how because we used uh -v, notice how it's actually showing the results for everything that it's doing, right? So, from 0 to 50, 50 to 100, max increases to five, 6, 7, etc., etc. So, it just keeps going and it's going to scan whatever we need it to until it gives the response that we're looking for, that final response that we're looking for with all of the open ports or the ports that might be open filtered or unreachable, etc. So, I'm going to let this thing finish.
It's approximately 44% done as you can see right here. And once it's finished, we will come back and view the results. Okay, so it's done. And notice that before it gave me the final report right here, it actually started saying discovered open port 111 53 things like that.
Right? So it actually tells you what it discovers as it goes. So we have three ports that are open right now or actually two are fully open and one of them is open filtered as you can see right here. So the question asks us what it says um what is the UDP port that is now open based on these.
So 68 1111 and so what do we have? We have 53 is the new one. So 53 would be the port that is now open. And what's the service name according to end mapap and it's domain, right?
Cuz 53 is the DNS. So domain would be the service name. And there we go. So we are officially done with that.
And now we can talk about fine-tuning. So let's say you don't want to scan the top 1,000 or the top 100. Let's say you want to scan a specific list of ports, the ports that are of most interest to you. You want to find out what services are running on all of those ports and um what versions of services that are running or what versions of machines are running etc.
So if you were to do something called the SA scan, the the SA scan scans for everything, right? So let's actually go into N mapaps manual or I guess I should do man N map MAPAP. So that's the first one. So if we were to look at the manual for N MAPAP, we'll get an options list.
If we scroll down far enough, we'll get to see all of the various options that are available if we wanted to use N MAPAP. So let's scroll down a little bit. Under option summary, you get to see all of these things, right? So these are all of the option summaries.
So specifying targets or host types of discovery. And then you can do scan techniques and port specifications etc etc. Now when we go down here you have the service version detection which is done by SV. Hopefully you can see that.
So let me zoom in a little bit more. Uh service detection is done by lowercase S uppercase V. And then if we go over up here I wonder if it's under these things or where is it? Is it SA?
It's either SA or dash A. I think it's like dash capital A. I want to say uh OS detection is - O and then if we go to let's see miscellaneous dash A. Okay, there we go.
It's dash capital A. And when you do this, it does OS detection, version detection, script scanning, trace route, and a bunch of other things. So, it's literally going to do all of the options. And this is going to take a very long time if you just by default say I want you to scan every one of the top thousand ports or let's say you don't even do that.
Let's say you do this option right here the -p dash which ends up scanning all 65,535 ports. So if you do -p dash and dash capital A, it's going to take hours for the scan to finish because it's going to do all types of scans against all 65,000 ports. So to mitigate that, to make it a little bit easier on you, and to make it a little bit faster, if you know that the most uh interesting ports to you and your exercise are SSH, HTTP, and HTTP3, right? You can then do dash capital A against these three ports and then it'll do all of the scans and everything that it does against only three ports, right?
So you can actually give it a port list by just using these comma separators. You can also give it a port range. So you can do -p and then do one and then dash and then the next number and it'll go between one and the next number. Or you can do dash 10, right?
So, or you could, excuse me, you could do -p 10 and then do another dash and then do 50. So, it'll go between 10 and 50, right? So, it's going to scan whatever the ports are between those two ranges while doing 20 to 25 right here. You can see that it'll go to do anything between 20 and 25.
So, you can scan all the ports by doing -pdash just like this, which will scan all 65,000 ports. It's going to take a really, really long time. If you want to do the common 100, you can do - f, which is what we did in the last one. Or you can do top ports 10 and it'll check the 10 most common ports or top ports 50 and it'll do that.
And again, you can control the scan timing using the dasht and then give it a value. So it could be t0 for example, which would be the slowest, meaning it's going to be a very slow scan, but it won't show up. it. It's like the least likely scan type to show up on network monitoring logs.
If you do T5, then it's insane, right? So, it's super aggressive and it's going to be very loud and it's going to be very fast. Therefore, most likely it's going to raise a lot of alerts on network logs. So, when you do paranoid, you mean you really don't want to get detected.
Sneaky is the next level. polite and then there's normal and then there's aggressive and then there's insane. And typically if you don't declare any of these values, it'll just go by normal, right? But if you want to be super slow and if you don't want to show up on network logs, then you can do paranoid, right?
So that's the the timing of the scan or the speed of the scan technically in relation to how many packets are sent out, right? So to avoid intrusion detection system, you can consider T0 or T1 and it scans one port at a time, waits 5 minutes between sending each probe. So you can guess how long a scanning of a target would take to finish. So 5 minutes against 65,000 ports.
You can take how you can imagine how long that would take. It's going to take days probably. So let's actually do that. So I'll even do this.
So we will do 65,535 * 5. That ends up being 327, minutes. Okay. 327,675 minutes.
And we divide that by 60 and that gives us 5,461 hours that it'll take. And you divide that by 24 and it'll take 227 days. So, it will take 227 days if you do a T0 scan against all 65,535 ports. Now, if you don't specify any timing, it uses normal T3.
If you use T5, it's the most aggressive in terms of speed, but it can also affect the accuracy of the scan results due to the increased likelihood of packet loss. So, T4 is often used during capture the flag exercises and when learning to scan for practice targets. and T1 is often used during real engagements where stealth is much more important. Alternatively, you can choose to control the packet rate using the minimum rate number or the maximum rate number.
So for example, if you do max rate 10 or max rate equals 10, it ensures that the scanner is not sending more than 10 packets per second and you can control probing probing parallel parallelization using min parallelism. Uh and then you give it the number of minimum parallel probes or maximum parallelism. And then you give it the maximum number of probes and it probes the target to discover which hosts are live, which ports are open. And the parallelization often specifies the number of such probes that can be run in parallel.
Basically meaning at the same time. So if you do a minimum parallelism of 512, it pushes nap to maintain at least 512 probes in parallel and these are related to the host discovery and open port. So uh it's asking a lot of end map when we do that. So, what's the option to scan all TCP ports between 5,000 and 5500?
So, you would do what? You would do -p and then you would do 5123. So, 500 0 dash 5500 0 or 5500 I should say. And that would scan everything between 5,000 and 55,000.
How can you ensure that NAPAP will run at least 64 probes in parallel? And so it would be minimum parallelism, this piece right here. So I'm just going to copy that part. And then we're just going to add the 64 at the end of it, which is that.
And what option would you add to make end mapap very slow and paranoid? And that would be - T0. That's paranoid. So extremely slow.
And that's pretty much it. So in summary, in this particular video, we covered three general types of scans. We have the connect scan, the sin scan, and the UDP scan. And these were the commands that we assigned to them.
So, or they were assigned to them. So, ST lowercase S uppercase T is the full connect scan. If you don't uh designate this, it'll just automatically do it unless you use pseudo. When you use pseudo, excuse me.
When you use pseudo, it uses N map and then it does the lowercase S, uppercase S, meaning the sin scan, also known as the stealth scan. And then if you do UDP then it'll do lowercase S uppercase U and then it'll do a UDP connect uh not it's a connectionless scan and it'll do a UDP scan for you. So these are the types of scans that will actually get you started using uh TCP and UDP services on a target. And then of course -p would be all ports.
-p1 to 1023 would scan everything from 1 to 1023. Dash capital F would be 100 most common ports. -ash R lowercase R scans ports in consecutive order. The T flag or the T option is the timing of the packets that are sent out and how frequently packets are sent out.
So T0 is the most paranoid and T5 is the most aggressive. So T0 is most likely going to be the least detected while T5 will be the most likely to be detected. And then you have the max rate of 15 meaning send 50 packets per second maximum or minimum rate of 15 send at least 15 packets per second. And then of course the minimum or max parallelism which sends at least or at max the number of probes.
So in this case it will send at least 100 probes in parallel. So that is pretty much it for our end map port scanning introduction. So, I hope you got some decent value out of this and you were able to run the exercises along with me so that you can practice end mapap and do the things that you need to do just to get a hang of the tool because in the next episode and the one after that we're going to be doing more advanced scanning and we're going to be talking you know we're going to review back to that uh initial uh diagram that we saw that RCP uh where we or RPC request for comments or RFC there we go RFC RFC that RFC RFC uh diagram that we looked at where it showed us the number of bits and the types of flags that we can set and we're going to refer to that more frequently so that you can actually uh do some of the more advanced scans and everything else that comes along with NMAP. It's a very very powerful tool.
It is an industry standard. Everybody uses it and it's something that you need to get good at using as we go along with Junior Pentester and as you go further into your penetration testing journey. So, I hope you found value out of this thing. And if you have any questions or comments, make sure that you drop them in the comment section below.
If you did get value out of this video and out of this room, I do encourage you to like, subscribe, and turn on the notification bell so that you get notified the next time that a video comes out on this channel. Especially as we continue with Junior Pentester. And every Friday, there's a new video that comes out for CompTIA Pentest Plus, which is the advanced conversation around penetration testing. Make sure that you drop your comments in the comment section below.
Drop your questions in the comment section below. And there is obviously there's a bunch of stuff that happened. This was actually the very first live stream that I did on YouTube uh earlier today. It was my birthday live stream and we actually had a good turnout even though it was a surprise and I didn't announce it to anybody.
There were a lot of people that showed up and it was really exciting. It was a really cool experience and I'm going to be doing that more often. So again, make sure that you turn on the notification bell and subscribe and all that stuff. And then we have these other playlists that are available.
So we have the CompTIOP Pentest Plus playlist that's currently being built right now. We have Network Plus which is already done. Uh this is exclusive to the Hackolix Anonymous membership community. We have Security Plus is already done.
Linux plus is already done. Network Plus is already done. Their SCIC 101, which is another playlist that's really crazy that is very very powerful. So if you haven't done it, I highly recommend you go through this.
This is very very powerful, very fun foundational. Uh sciisec hacking case studies. We have Hackholics Anonymous exclusives, sock level two, compilations, security engineering, and there's I mean there's a lot of stuff on the homepage. I have the sock level one, sock level two, and security engineering playlist available.
And of course, all the stuff that's available to members only. So, there's a lot of stuff. And if you don't know uh if you don't know which playlist the information that you're looking for is in, instead of browsing, you can just go to this search button right here and you can search for the thing that you're most interested in. and then it'll bring up all videos that have to do with that topic for you.
Currently, there are almost 400 videos that are available on this channel. 397 videos. It's pretty crazy. Uh there's a lot of videos that are available on the channel and there's more videos that are coming out and I respond to the requests that are being made in the comment section and I create videos around the stuff that you want to know about.
So, you can drop a comment if you want to learn about something in particular and we'll do that as well. So, there's a lot of stuff and it's all accessible to you for free through this channel. And the only thing that I request from you is to like, subscribe, and turn on the notification bell so that you get notified the next time that a video comes out. And if you drop a comment, it helps us with the YouTube algorithm.
If you're serious about your SCIC education and you want access to me on Discord, consider joining Hackaholic Anonymous. We have four tiers, the supporter, agent, guardian, and master. Each tier gets their own Discord server and early access to content. The agent, guardian, and master levels get exclusive content, exclusive downloads, monthly Python automations, live streams with me every month, plus so much more.
And to join, you can simply click the link in the description below, or you can go to our homepage and click the join button there, or you can go to youtube.com/hankhackshackers/join, and you will be able to join hackaholics anonymous. I hope I see you in the Discord chats. If not, I hope I see you in the comment section. And this is your boy Hank Hackers.
And at Hank Hackshackers, your favorite network and system attacker/protector. If no one else loves you, Hank loves you. Love, peace, and chicken grease. And I'll see you in the next video.
Later in episode 26 of the Junior Pentester training series, we're going to go through advanced port scanning with NMAP. this amazing tool that is available to everybody for free. It's actually one of the greatest tools that exists and this is an industry standard when it comes down to pentesting and ethical hacking and reconnaissance and things like that. And in the last two videos, we talked about the basics of live scanning with NAPAP as well as just the basic port scans like TCP and SIN scans and things like that.
So, in this particular video, we're going to be talking about the null scan or advanced techniques that fall under null, Finn, Xmas, and idle or also known as zombie scans. Spoofing, meaning spoofing your IP address, and of course, firewall and IDS evasion. So, these are all the things that we're going to be talking about in the video today. And this all has to do with ad uh end mapap advanced port scanning.
And so, of course, there's the introduction to the the room itself to the video. We have the null scan, fin scan, and Xmmith scan. We have the Maymon scan, act window and custom scan, spoofing and decoys, fragmented packets, idle zombie scan, getting more details, and the summary. And so that's all the stuff that's going to be covered in today's video.
And of course, this is developed and uh provided to us by Try Hackme. Really, really cool place. I love these guys. And so, this is a subscriber only room, meaning that it requires a paid membership.
However, you can always just download end mapap on your own computer and scan your cell phone or scan your other computer or something like that and still do everything that we're going to be doing today and you should be able to get the results that I'm getting. You may not get the same ports that are open because I'm scanning individual machines for this specific exercise, but you can run the same exact scans that I'm running and you'll get similar results. So, the room was developed by Stratagos or Strategio, still don't know how to pronounce it. Um, and then we have Jen Sane.
That's a cool one. Jensen, Genensane, Genensane, Jensen, whatever. Um, thanks. Shout out to these people right here.
Very, very grateful for them because without them, we would not have access to this content that we're going to be doing today and we wouldn't have access to these instructions. So, I'm really excited about it. I hope you are, too. And we're going to be getting a lot of good value out of this video.
A real quick note from our sponsor, Hackolix Anonymous, and then we'll dive into it. If you're serious about your SCIC education and you want access to me on Discord, consider joining Hackaholics Anonymous. We have four tiers, the supporter, agent, guardian, and master. Each tier gets their own Discord server, and early access to content.
The agent, guardian, and master levels get exclusive content, exclusive downloads, monthly Python automations, live streams with me every month, plus so much more. And to join, you can simply click the link in the description below, or you can go to our homepage and click the join button there, or you can go to youtube.com/hankhackshackers/join, and you will be able to join hackaholics anonymous. Now, without further ado, let us jump into NMAP advanced port scans. So, this video is the continuation of the end map series.
In the last two videos, we talked about the basic port scan and the live host discovery. And now we're going to be talking about the advanced port scans. And in the next video, we're going to be doing the postport scanning. So in basic port, we talked about the TCP flags and the TCP 3-way handshake.
And to initiate a connection, the TCP requires the first packet to have the SIN flag that's been set. And then we will tell if the TCP port is open based on the responses that we receive. So that's for the TCP connect scan, right? Uh the TCP 3-way handshake is something that we'll just review in a little bit.
Uh security us researchers and hackers contemplated the TCP flags which are shown in this figure below right here. And they explained everything we or we did explain everything in the previous video that we did. So the episode right before this one and we started to experiment with these various flags. But they also wanted to know what would happen if we just send a specific packet which is not a part of any ongoing TCP connection with one or more of the flags set.
So if we look at this right here, these are the flags that we're talking about, right? Urgent, acknowledgement, push, reset, synchronize, and finish. These are the packets and each one of them are assigned a bit out of the 32 bits that are available here. They're assigned a bit.
And if this one is turned on, the value of this bit is one. If it's turned off, the value of it is zero. Right? That's the basics of these types of flags that we set.
So if the act flag is set when you want to acknowledge and receive data, the act scan is like trying to acknowledge the data that was neither sent or received in the first place. So if you just send an acknowledgement without anything else being sent, it's like, okay, I'm just trying to acknowledge nothing basically. So if we use this analogy someone trying to you know they're coming out of nowhere to tell you yes I hear you please continue and you haven't even said anything right so this room explains the advanced types of scans and scan options and some of these can be useful against specific systems while others are useful in particular network setups and we'll cover the following types which are the null fin xmas mayon act window and of course the custom scan So we'll cover the following of spoofing IPs, spoofing MAC addresses, decoys, fragmented packets, and the idle zombie scan. So we're also going to discuss options and techniques to evade firewalls and intrusion detection systems and options to get more verbose details from end mapap.
So this is going to be a pretty robust video that we're going to do today and you're going to learn a lot. my encouragement and I I really just recommend that you go through the basics video and the basic port scan and like the live scan video which is essentially the two episodes right before this one just to have that foundation because we're going to be talking about some more intermediate/advanced stuff and it might go over your head and it might seem a little bit overwhelming if you haven't gone through the very basics. So that's my recommendation. I've already started the attack box, which is a Linux machine that's assigned to us.
And I've already started the first virtual machine, which is the one right here with this green button right here. So, we are ready to go. Let's dive into TCP null scan, FINC scan, and Xmiss scans. The null scan doesn't set any flag.
All six flags are set to zero. All those bits that we talked about, they're set to zero. So you can choose this by doing the lowercase s uppercase N option and a TCP packet with no flags that are set. It's not going to trigger any response when it reaches an open port as shown in this particular thing that we see right here.
It's just basically null. There are no flags that are sent. Right? So the end mapap perspective is that a lack of a reply in a null scan indicates that either the port is open or a firewall is blocking the packet.
If it replies with something, it'll typically reply with a reset, the reset and acknowledgement, meaning that the port is closed. So, as long as we don't get a reply from that port, it's going to conclude and it's going to, you know, make an educated guess that it's either open or it's sitting behind a firewall, meaning it's filtered. So, this is the example of what a null scan will look like on a Linux machine. And it is one of those scans that require a an uh elevated privilege.
So escalated privilege meaning admin or root privileges basically. So you do need to run pseudo with it. And then basically NMAP and then the SN and then that's it. You give the IP address and it starts running.
So you can see right here, right? So it can't really tell whether or not it's open or it's behind a firewall, but it's no everything else that didn't get this kind of a response. it was immediately assumed that it was closed because the server replied with an RST, a reset connection and so that was the conclusion that everything else was definitely closed. These might either be open or they might be behind a firewall and they're being filtered.
So many end mapap options require root privileges. For example, the one that we just talked about or the stealth scan which is the lowerase S, uppercase S. So you unless you're running NMAP as root, you need to use pseudo as the example. Finn scan is the next one and it's going to be actually sending a packet.
So we're sending the FIN uh flag but that we've set that FIN bit has been set to one. So you can use it by doing lowercase S uppercase F. Similarly, no respond will be sent if the TCP port is open and end map can't be sure if the port is open or behind a firewall. So it'll probably say open or filtered.
And this is what it looks like. It just sends a FIN packet, right? So if it responds with a RST acknowledgement, it means that that port is actually closed. It's sending a reset.
So that's how we determine that the port is actually closed. And so SF against lowercase S, uppercase F would be the FIN scan that we're going to be sending with the FIN packet or the FIN flag being set to one. And so this is the response that we would get, right? So open filter, the type of service that it thinks is behind it and everything else actually responded with a closed.
Therefore, it's not on our list over here. The Xmmith scan gets its name after the Christmas tree lights. So, it sets the Finn, push, and urg flags, the urgent flags simultaneously. So, you can select this by doing S, capital X.
And like the null scan and the FIN scan, if an RST packet is received, it means that the port is closed. Otherwise, it'll be reported as open or filtered. So this is what we can see right here. Finn, push and urgent are both set.
Finish, push, and urgent are both set. And if we don't get any kind of a reply, that means it's either open or filtered. If we do get that reset acknowledgement, that means the port is closed. And we can run the scan by doing again pseudo mapap lowercase s uppercase x.
And this is what it looks like. And there we go. we just have these uh packets that are replied or these um replies that we've gotten from these ports that can be deduced as either being open or behind a firewall. So, one scenario where these types of scans can actually be efficient is when you're scanning a target that is behind a stateless or a non-stateful firewall.
A stateless firewall will check if the incoming packet has the sin flag set to detect a connection attempt. So using a flag combination that does not match the sin packet makes it possible to deceive the firewall and reach the system behind it. However, a stateful firewall will practically block all such crafted packets and render this kind of scan useless. A stateful firewall essentially blocks anything that does not match the allowed list.
And it doesn't matter how you try to deceive it, it's just going to block everything that doesn't match the IP addresses that are allowed to connect to its end points. So the question here is in a null scan, how many flags are set to one? And that would be zero. There are no flags that are set to one inside of a null scan.
Let me make sure my keyboard is awake. There we go. In a Finn scan, how many flags are set to one? That would be one.
In an XM scan, how many are set to one? That would be three. And we're going to start the VM and load the attack box. Once both are ready, open the terminal on the attack box and use MAPAP to launch a FIN scan against the target VM.
How many ports appear as open/filtered? So, I already have the attack box started and I already started the uh the virtual machine right here, our target machine. So, we're just going to do split view and then we're going to open it up inside of a full screen window so it's a little bit easier for us to manage this thing. And we're going to copy the IP address of the target machine.
And we're going to be doing a what scan? We're going to be doing a FIN scan. So, it's going to be lowercase S uppercase F. And I'm just going to run it without pseudo just to see if it's going to let me run it.
And if it I mean it already says that I'm root. So I I can run it without pseudo because I'm already root, baby. Okay, so here we go. So we're going to run N mapap and we're going to do it with the SF for the FIN flag and we're going to paste the IP address.
Press enter and it's going to run and boom, that was quick. Okay, so how many do we have? We have 1 2 3 or actually it says right here. Does it tell me?
No. So it says 991 did not show, meaning it scanned the top, thousand nine of them responded. So 1 2 3 4 5 6 7 8 9. Yeah.
So nine of them responded. So we have how many? We have nine that responded. Uh repeat the scan launching a null scan against the target.
How many ports appear as open filtered? So we'll come back over here and we'll do this n map s and then we're going to paste the IP address and let's see how many Oh, what what just happened here? That is not what I highlighted. So 10 10247201.
So how many do we think we got? So 991 closed, meaning we got a response from nine ports again. So again, it should be the same exact thing. So nine ports responded as open filtered.
All right, let's talk about the Maymon scan. Uriel Maymon or Mymon could be the name first described this scan in 1996. In this the FIN and acknowledgement bits are set and the target should send a reset packet as a response. However, certain BSD derived systems drop the packet if it's the open port exposing the open ports.
So, if the packets are dropped, then we can assume that it's an open port. If the packets are closed, we should be receiving an RST packet. It won't work on most targets encountered in modern networks. However, we included in this room to better understand the port scanning mechanism and the hacking mindset.
To select this, you would do lowercase S, uppercase M. And most target systems respond with an RST packet regardless of whether the port is open. In such a case, we won't be able to discover the open ports. The figure below shows what happened.
So, we just basically send a FIN and acknowledgement flags and then we get an RST. And it could be open or closed, which is it's I mean, it's kind of pointless like you can't really figure it out. So this is what the scan looks like and then you don't get anything right. It says all thousand scans uh all thousand scanned ports and nothing has responded.
So uh this type of scan is not the first scan that one would pick to discover a system. However, it's important to know about it as you don't know when it could actually come in handy. So how many flags do we set in this? We set two flags which is the the fin finish and acknowledgement flags are set.
Okay. So now we can actually move on to something that allows us to run it. So I'm going to go ahead and terminate this machine and we're going to move on to the next one and start this machine and first do the read through and then we'll actually do the scan. So in this section we're going to be talking about the acknowledgement window and custom scans.
So as the name implies the acknowledgement sends the acknowledgement flag, right? So we can use it with S A. So lowerase S, uppercase A to choose this. And as we can see, it's going to send the acknowledgement flag.
And then we should be receiving a reset flag indicating that the port is either open or closed. Right? So this happens because a TCP packet with that flag set should be sent only in response to a packet to acknowledge the receipt of some data. And in this particular case, we're sending it as the very first packet.
and there was no data that was received. So it won't tell us whether the target port is open in a simple setup. So this is what it looks like just like everything else pseudo and map and then you do lowercase S uppercase A give it the IP address. In this case we didn't get anything back, right?
This would be helpful if there's a firewall in front of the target. Consequently based on which acknowledgement packets resulted in responses, you'll learn which ports were not blocked by the firewall. In other words, this scan is more suitable to discover firewall rule sets and configurations. So after we launched the target machine, we repeated the acknowledgement scan and this time we received some interesting results.
So there was actually a firewall was launched with this instance right here. So they did the same exact scan, but in this particular case, we actually received unfiltered responses, meaning that this port, this and this one were not hidden behind the firewall. That's what the indication of this would be. So it's actually very interesting.
It can tell you whether or not there are ports that are not uh being blocked by the firewall and what the firewall rules are. So in this particular case out of these top thousand ports that were being scanned these three were not being filtered by the firewall. So actually very very handy and very useful to know. Okay.
So let's move into the window scan. So it's another similar scan uh which is the TCP window. Uh it's almost the same as the acknowledgement. However, it examines the TCP window field of the RST packets that are returned on specific systems.
It can reveal that the port is open. And you can do it by doing lowercase S uppercase W. And in this figure, it'll send the acknowledgement and the reset again. So it's very similar to the ACT uh packet being sent or the the acknowledgement scan, but in this case, it's actually just the the lowercase SAS W.
So it's a window scan, but it's actually sending an acknowledgement packet. So if we get a reset again, it's saying that it's either open or closed. So running it against the Linux system with no firewall, it's not going to provide anything. And we can see that the result of the scan is empty without a firewall.
But if we repeat the scan against the server behind a firewall, we expect to get more satisfying results. And what we can see right here are these pieces right here. So they're actually closed, right? So in the previous one, we saw that they were unfiltered, right?
In the the acknowledgement scan, we saw that they were unfiltered. So they're not being blocked by the firewall. However, in this particular case, it's showing that they're closed. So obviously, if they're closed, then the firewall doesn't need to block them, right?
So that's kind of the conclusion that we can make with that. So if you want to experiment with a new TCP flag combination, you can actually just use your own custom scan. And you can do that by doing the scan flags option here and then give it the flag. So this is the rst flag, the sin flag and the fin flag have been set in this particular case.
So then you would send custom flags using whatever your custom flags are and then I don't know what the response would be in this particular case but in this particular case if you do scan flags uh urgent acknowledgement push reset synchronize and finish all of them have been set. So all of the flags have been set and I don't know what the response would be. So it's essential to note that the acknowledgement scan and the window scan were very efficient at helping us map out firewall rules. However, it's vital to remember that just because a firewall is not blocking a specific port.
It doesn't necessarily mean that a service is listening on that port. So for example, there's a possibility that the real rules need to be updated to reflect recent service changes. Hence the acknowledgement and window scans are exposing firewall rules not the actual services themselves. Right?
So the acknowledgement scan showed that they were unfiltered but then when we did the window scan it showed that they were closed ports. Right? So it actually show it tells us a lot about the setup of that network and the firewall rules themselves not necessarily the services that are running on those ports. So in the TCP window scan how many flags are set and that is one.
you decide to experiment with a custom TCP scan and set the reset flag. What would you add after the scan flags and that would be RSD for the reset flag? So, the virtual machine received an update to its firewall rule set. A new port is now allowed by the firewall.
After you make sure that you have terminated the VM from Tax 2, which I already did. We're going to launch this one. And then once you're ready, you open the terminal and use Nap to launch an acknowledgement scan against the target VM. How many ports appear unfiltered?
What is the new port? To determine the new port, you need to compare the scan results of task two to the ones of this task. And is there any service behind the newly discovered port? Okay.
So, the ports from task two to the ones of this one. So, let's go to task two real quick. And let me zoom out here just to make it easier. So, we're going to go to the ports of task two.
There we go. Okay. So, what was open in task two? Oh, I totally don't even remember.
Right. So, what is it? We had um nine that were open, nine that were filtered, and this one had 994. So, I don't even remember.
Did I clear it out? I'm not going to clear it out. So, I'm not going to clear these results. These were the ports from task two.
So, we're not going to clear them just so we can use them as a comparison. So, in this particular case, we're now going to scan this target, which is the new port and or the new IP, excuse me. And we're going to be using the what type of what are we doing? We're doing an acknowledgement scan.
So let's zoom in here and we will do an acknowledgement scan against this one. So uh it's going to be end mapap sa like that. And then we're going to paste the IP address like so. Press enter.
And let's see what kind of a response we get and how long this would take. I wonder how long this takes. Okay, very quick. Okay.
So, uh we have four ports that are unfiltered technically. So, what does it say? It says um how many ports appear to be unfiltered. So, we have four.
Now, what's the new port number that appeared? Uh to determine, you need to compare to the task two of this task. I see. I see.
It's the That's so stupid. Okay. So, based on these comparisons, what's the new one? So, we have 225 80 and 443.
443 is the new one that shows up here. So, is there any service behind the newly discovered one? And it does. Technically, it says it's HTTPS because that's the default port for HTTPS.
So, we're going to say yes. Now, is there any service behind the newly discovered port number? The answer is yes, because it does say that there's a service. So, I don't understand why this is being uh the way that this is right here cuz this is technically they did a Windows scan.
So, I mean fine, let's do a Windows scan of this cuz uh based on the the acknowledgement scan, it says that there is uh a port service, right? It's that's what it says. So, we're going to paste the IP again. My god.
Again, this thing like as as soon as I highlight anything, I guess it copies it, which is stupid, but okay. So, we're going to do window scan now. And the same port should technically show up. And it says they're all closed.
So I guess there is no service behind them, I guess. But it does technically say HTTPS, so whatever. All right, let's talk about spoofing and decoys. In some network setups, you can actually scan a target using a spoofed IP address or even a spoofed MAC address.
But this is only useful when you can control the capture of the response or you can actually capture the response. Because if you're doing it from a random network that you can't capture all of the responses, then it doesn't really help you. You're spoofing something that you can't see what the replies would be. So, this is what the uh figure shows if the attacker uses NMAP- capital S and then they provide a spoofed IP address and then the machine IP, which is the one that you're going to be scanning.
So, it'll craft the packets using the provided source IP, which is the spoofed IP. and the target machine will respond to the incoming packets replying to that spoofed IP. And for this to work, you need to have the monitoring of the network traffic to actually be able to analyze what's coming to that spoofed IP address. So this is what it looks like, right?
So you send the command, the host, which is you, you're sending it to the server yo using the spoofed IP. the machine will then reply to the spoofed IP, which is this thing right here. And if you don't have access to the traffic of this specific IP address, then it doesn't matter what you do because you're not going to be able to find it. Like you're not going to be able to see what the results are.
So the attacker will send a packet with spoofed source IP address. The machine replies to the spoofed IP address and the attacker captures the replies to figure out what the open ports are. you expect to specify the network interface using the -ash e and to explicitly disable ping using dash capital p lowercase n. So instead of doing nm mapap s spoofed IP machine IP, you actually need to do something a little bit more sophisticated which is n mapap- e and then you give it the interface and then you do capital p lowercase n to disable pings and then you do capital S to give the spoofed IP and then the machine IP that you want to scan at the end of this whole thing.
So, it's worth repeating that this scan will be useless if the attacker system cannot monitor the network for responses, which is basically going to be that spoofed IP. So, when you're on the same subnet as the target machine, you would be able to spoof your MAC address as well because it will end up using the ARP protocol to actually send out its packet. So, you can specify the source MAC address using spoof MAC and give it the spoof MAC address. And this is only possible if the attacker and the target machine are on the same Ethernet network or the same Wi-Fi.
So you're in the same subnet so that it doesn't use IP addresses to try to communicate with the other device. It'll still use the MAC addresses because MAC addresses are used to communicate with devices on the same network. It doesn't necessarily need IP addresses to communicate with devices on the same network. So spoofing only works in a minimum number of cases when certain conditions are met.
Therefore, the attacker might resort to using decoys to make it more challenging to be pinpointed. The concept is simple. Make the scan appear to be coming from many IP addresses so that the attacker's IP address would be lost among them. As we can see in this particular figure, uh it's going to be coming from three different sources and consequently the replies will go to all of those sources as well.
Right? So, it'll come from the decoy, right? So let's go look at this. We have the decoy, the actual attacker IP and another decoy.
So the response is going to go to the two decoys as well as the attacker IP. So all three of them are going to get those responses and one of them is actually going to be you. So if you wanted to do this or use just random IP addresses, you can just do dash capital D. for example, end mapap- capital D 10101 10102 and then me which would end up being your actual IP address and it'll make it appear as if it's coming from all these things and then the MI is replacing that your IP address should appear in the third order.
Another example would be 10102 R&D R&D and then me. So R&D will end up being random choices, right? So random I IP addresses that NM map will just choose for you. And then the final one is going to be you the IP address for your actual machine.
So each time that you execute this latter command, this piece right here, you would expect two new random IP addresses to be third and fourth decoy sources because they are being randomized. So what do you need to do to or what do you need to add to this command right here to make this scan appear as if it's coming from the source IP address 10 10 10 11 instead of your IP address and so that would be what dash s and then you would do 10 10 10 11 like that so what do you need to do uh what do you need to add to the command this piece right here to make the scan appear as if it's coming from the source IP address 1010 20221 and 1010 20228 in addition to your IP address. So this is going to be the dash decoy portion. So we'll do dash d and then we're going to do 10 10 20 21 comma 10 uh 10 2028.
Whoops. And then comma me. And there we go. That's what we got.
So let's talk about fragmented packets now. Okay. Okay to understand why this is important why the concept of fragmented packets is actually important is first we need to understand why a firewall is how it plays out in this whole scenario here. So if you don't already know a firewall is either a software or they're actually physical firewalls that exist um that are usually attached to your routers or maybe your switches and they permit packets to pass through or block the packets from actually passing.
So it functions based on the rules that are established for it and it could be blocking all traffic with the exceptions or allowing all traffic with exceptions. So for instance, you can block everything to your server except those coming to your web server from a specific IP address. A traditional firewall will inspect at least the IP header and the transport layer header. And a more sophisticated firewall would also examine the data that's carried by the transport layer and signatures and things like that to determine whether or not it should block it.
Okay. Then you have the intrusion detection system which inspects the network packets for behavioral patterns or specific content signatures. And a next generation firewall will end up being something that actually has an IDS embedded into it. So the IDS raises an alert whenever a malicious rule is met.
In addition to the IP header and the transport layer header, the IDS would inspect the data contents in the transport layer and check if it matches any malicious patterns or signatures or anything else that you would have asked it to check on. So, how can you make it less likely for a traditional firewall or for the IDS to detect your end map activity? So, it's not that easy, right? Depending on the type of firewall or IDS that you're actually dealing with, you might benefit from just dividing your packet into smaller packets, also known as packet fragments.
So, NAPAP actually provides the option that you can uh declare by using the lowercase f so - f to fragment the packets. Um once you do it, all the data will be divided into eight bytes or less. So when you add another f, it could be - f-f or you just do - ff. It'll split the data into 16 byte fragments instead of 8.
So you can change the default value by doing the mtu. You should always choose a multiple of eight no matter what you do. So you can do mtu uh 8, you could do mtu 16, mtu 32, which I don't know why you would do that because it ends up just being 32 bits anyways. So you can do um or actually I guess not 32 bits, excuse me, because 32 bits would be inside of a given packet.
So if you're separating them by bytes, then you're talking about fairly large chunks of data that's being transferred back and forth. So whatever you're going to end up doing, just make sure that you choose multiples of eight. So to properly understand this, we need to go look at the figure again, the RFC 791 figure. Uh in particular, we're going to look at the source address taking 32 bits or four bytes on the fourth row while the destination address is taking another four bytes on the fifth row.
And the data that we will fragment across multiple packets is highlighted in red to reassemble on the recipient side. The IP uses the identification which is the ID and the fragment offset which is on the second row of the figure below. So we can see this right here. So this is the element right here.
Here you have the source address and the destination that take up a full 32 bits each. Then you have the data. Okay? And so the IP will go ahead and reassemble these things.
So let's go back and read this piece one more time. To reassemble the recipient side, the IP uses the ID and the fragment offset which is in the second figure which I guess we can't really see because where's the second figure? Is it down here? No, it's not.
It doesn't show us. Maybe I don't know if this is the thing that they're talking about, but this is the piece right here that I think they're mostly relevant to or more they're identifying or talking about, but it would end up taking the ID as well as the fragment offset. So fragment offset is right here. So it'll take the fragment offset as well as the identification, which I don't see here.
Oh, there we go. Identification. So there's identification, also known as the ID, and the fragment offset. These are the things that are going to be used to reassemble the data.
So, let's compare this using the stealth scan on port 80 and the stealth scan on port 80 and doing the -F right here. It's kind of hard to see because it's been separated. But with this one doesn't have -f. This one has -f.
So, we know that using a stealth scan on port 80. However, in the second command, we're also doing the fragmentation. So in the first two lines we can see that the ARP query and the response. This is what we see right here.
So the first two lines right here are the ARP query and the response. The second two lines show the sin ping and a reply. So sin ping and then RST acknowledgement has been sent. So that's the sin ping and the reply.
And the fifth line is the beginning of the port scan and it sends a TCP SIN packet to port 80 and the IP header is 20 bytes and the TCP header is 24 bytes. And the minimum size of the TCP header is 20 bytes. So if we go to look at this a little bit closer here, these are the R packets. These are the ping and the reply.
And then we get to see the SIN packet being sent to port 80. Port 80 replies. And we don't really get to see that the size of the data, but we can see that it is uh there's actually the sin has been done. So this is the one without the fragmentation.
So when we look at the fragmentation which is going to be this one, the 24 bytes of the TCP header are going to be divided into multiples of eight with the last fragment containing 8 bytes or less. And since 24 is divisible by 8, we get to see three IP fragments and 20 bytes. Oh, earlier I jumped from uh 816 to 32. So technically there was 816, 24, and 32.
Wow, my multiplication tables are so bad, bro. Uh I can I can just imagine what people are going to say in the comments. So we got three IP fragments. Each has 20 bytes in the IP header and eight bytes of the TCP header.
And we can see the three fragments over here. So we can now see that it's actually fragmented IP protocol, fragmented IP protocol. And then what's been sent as the final right here to port 80 and then there we go. And then port 80 actually responds.
So that's what we can see. So if you did FF or you know - F-fragmentation will be multiples of 16. In other words, the 24 bytes will end up being two specific fragments. The first one is going to be 16 and the second one is going to be eight.
So it's always going to do the first series of uh fragments by the number that you have declared and then whatever will end up being the last one will most likely end up just being that last eight bytes. So if you prefer to increase the size of the packets to make them look innocuous, you can use the option data length and then give it a number where the number specifies the number of bytes that you want to append to your packets. That's very interesting. So you can actually modify what your packets look like or what they perceive to hold and it will go ahead and add data uh whatever the number would be.
And I would presume that you want to add some kind of a even number, not necessarily a uh an odd number, but that's just an assumption on my part. So, okay, what's the question down here? It says, if the TCP segment has a size of 64 and the FF option is being used, how many IP fragments will you get? So FF means that it's going to split it into 16.
So if I go ahead and do a division of 64 by 16, it ends up being four packets. So we're going to end up getting four fragments that are going to be sent. And that is indeed the right answer. So now let's talk about zombie scans.
So, if you have the limitations that you're in a network setup that doesn't support spoofing, then there's another option that you have that can be done using the idle scan, also known as the zombie scan. So, this requires an idle system that's connected to the network that you can communicate with. So, for example, or essentially NMAP will make each probe appear as if it's coming from the idle host, the zombie host. So a printer right like technically a printer is connected to the network but a lot of times it's inactive because it's not receiving any kind of data it's just sitting there.
So it will end mapap will check for the indicators whether the idle zombie host received any response to the spoofed probe and it's accomplished by checking the IP identification. So IP ID in the IP header and you can run an idle scan using the SI lowerase S capital I give it the zombie zombie IP address and then the machine IP address that you want to scan and that would be it. So basically the zombie IP would be the the IP of the idle host. Uh this requires the following three steps to discover whether a port is open.
So trigger the idle host to respond so that you can record the current IP ID of the idle host. Then send a sin packet to a TCP port of the target and the packet should be spoofed to appear that it's coming from the zombie host. Then trigger the idle machine again to respond so that you can compare the new IP ID with the one that was received earlier. So this is what it looks like if we were just looking at it with the figure.
So, first and foremost, you're going to send the the acknowledgement to the zombie IP address, and it'll send something to you to give you its IP ID. Once you have that, you would then go ahead and uh craft your packet, craft the scan that you're doing to your actual target using that information. So the attacker will send a sin packet to the TCP port they want to check on the target machine and this packet will use the idle host the zombie IP as the source and three scenarios would arise. The first would be in this specific figure that the TCP port is closed.
Therefore the target machine responds to the idle host with an RST packet. The idle host does not respond. Hence the IP ID is not incremented. So keep that in mind.
Right? So every time you do this the IP ID will actually increment. So in this case we sent it from the zombie IP. The machine is going to send with a reset and the attacker system will now get that the IP uh the IP ID of this zombie will not be incremented.
The port is closed if we receive this reset packet. In the second scenario the TCP port is open. So the target machine responds with sin acknowledgement and the idle host responds to this with an RST packet and it increments its IP ID. So we send one right from us using the zombie IP.
The machine responds to the zombie IP. It's open. So the zombie IP will send a reset because it's literally just a printer. It's not going to do anything.
And so when it does this, the zombie IP ID is going to increment by one. In the third scenario, the target machine does not response at all due to firewall rules. This lack of response will lead to the same result as with the closed port, and the idle host will not increase the IP ID. For the final step, the attacker will send another SIN acknowledgement to the idle host.
The idle host responds with the RST packet incrementing the IP ID by one again. And the attacker needs to compare the IP ID of the reset packet received in the first step with the IP ID of the reset packet received in the third step. And if the difference is one, it means that the port on the target machine was closed. If the difference is two, that means the to port on the target machine was open.
So it's worth repeating that this scan is called an idle scan because it's choosing the idle host and it's indispensable for the accuracy of the scan. And if the idle host is busy, all the returned IP IDs would be useless. So you need to use something that actually is idle and it's not being used. So you discover a rarely used network printer with the IP address 10105 five and you decide to use it as the zombie uh in your scan.
What argument should you add? So that would be the idle, right? So it would be - SI, right? It's dash dash SI.
My god, I am having a hard time speaking. So we're going to do - SI. And then we would give it the 10 10 55. And that's it.
All right. So now we have another machine that we're going to end up using. And for this one, we're going to probably do some more scanning. So let's see what the documentation reads.
So what you can do is add a few different uh options to your scans to just get more details about what happened with the scan. And one of them would be the dash reason. So d-reason if you want end mapap to provide more details regarding its reasoning and conclusions. So we have two scans.
This is the one without the reasons. So you can see this right very basic and then you have the one with the reasons and then now it gives you the reasoning that it had. So sin acknowledgement TT time to live was 64 essentially. So providing the reason gives us the explicit reason why end mapap concluded that the system is up or a particular port is open.
In this output above that we just saw look right there we can see that this system is considering online because end mapap received ARP response. So this is actually the reason right here. So let me see. Oh there we go.
Host is up. Received ARP response. There you go. That's the reason over here it just says host is up.
So there's another thing. I just thought it was actually this piece right here, but it's this piece right here. Receiving an ARP response was the key element. So on the other hand, we know that the SSH port is deemed to be open because NAPAP received a SIN acknowledgement packet back.
So for more detailed output, we can actually now use verbose or VV for very verbose and it'll give us even more information. So you get VV for very verbose. And every step of the way as it's scanning, it tells you what's going on, right? And previously, uh I don't think it was I don't know if it was this video or another one.
I'm recording all of these on the same day. But as it scans, it'll be like, yeah, 40% done, 50% done, 80% done, and then it'll show you along the way that discovered open ports, discovered open ports, etc., completed the scan at this time, and then finally it gives you its report at the very end. Right? So very very useful stuff.
So if VV does not satisfy the curiosity, you can use D for debugging or DD for even more details on debugging and you can guarantee that using the D will create an output that extends beyond a single screen. So what we're going to do for this final exercise is we're going to do a stealth scan uh using the F flag and it's going to be fast. So, it's going to be scanning the top 100 instead of the top thousand. And we're going to ask for a reason.
And then we're going to be scanning this IP address at the very end right here. So, I'm just going to copy this. I know I can copy the whole thing, but I like typing these things out. So, we're done.
We're going to do a stealth scan with the F flag, and then we're going to ask for reasoning as well. So, let's go here and actually get this done. So, here we go. So, we're going to do N map.
We're going to do SS and we're going to give it the F and we're going to ask for a reason. And then we're finally going to provide the IP address here. Press enter. And there you go.
So it says host is of received ARP response. And what do we have? Sin acknowledgement TTL 64. All of those things, right?
So what does it say right here? It says uh what is the reason provided for the stated ports being open? And so it is this thing sin act which is basically the same thing that we just saw right here as well. And that's it.
We got the reasoning for it. And that was our last exercise for this room. All right. So, in conclusion, as a summary, we have talked about a variety of different techniques and scan types and all of that good stuff.
So, we talked about the null scan, the Finn scan, Xmmith, Mayon or Mymon acknowledgement window, and even customizing our own TCP scans. And then we have all of the options here as well. And you can always just go to N MAPAP or you know your Linux machine and just do mann map and pull up the manual for end mapap and just read through this like you this is one of the easiest ways to learn as much as possible about a given tool and it'll show you exam uh examples that it has. So example one, a representative endmap scan.
It's using - a. So it's going to do all of the scans and it's going to do it a little bit faster than usual and it's going to provide all of these things for you. And so it finds the SSH host key for you. It found the open port for SSH itself and all of the elements that are assigned to it.
And then it found port 80 that was open. Uh it pulled the HTTP title for you. would pound the version of server that's running on it etc. So this is just an example scan and then you can go through the option summary read through all of those details and there's a lot of stuff that's available for end mapap for you to learn and use and just become masterful at.
So this is not a tool that you can learn how to use with just a handful of videos. You have to experiment with it. You have to go through all of the different options that are available to get really good at it, to get proficient at it. And should you choose to invest that time then you will get a result as a response meaning you will actually get good at using end mapap and then most likely you will stand out from your competitors and your peers at work and so on and so forth.
So all of these options are also available inside of the manual and the explanations for all of these options are available. We also talked about spoofing our IP address but you do need to have access to this spoofed IP address over here. We talked about the MAC address spoofing, the decoy scan, and of course the zombie scan, and how to fragment your IP data into eight or 16 bytes or even how to do it uh for other sizes as well. You can do a source port.
This is another one that we didn't talk about, but you can actually specify the source port that you want to scan from, that you want to show your scans are coming from, and even the data length option where you can append random data to each given packet that's being sent out to reach a given length that you're interested in. Um, then there's the reasoning element to pull more information, the verbose and very verbose debugging and details for debugging. So all of this stuff is available if you want to learn even more about what's going on anytime in MAPAP does a scan and the information that is being uh collected and its processing and all of that stuff. So you can just learn more about how it works and what happens behind the scenes instead of just pressing enter with some basic options and then getting the results the report that it gives back to you.
So really powerful tool I personally love it. There's one more video that's left in our series, which is the postport scans for N MAPAP. And once that's done, we're going to move on from N MAPAP to the rest the uh the remaining series of videos that are available to us. Um, which are going to be so let's zoom out a little bit so we can look at this.
So, we have postport and then we're going to go through protocols and servers and protocol servers part two. And then there's a network security challenge that's available at the end of this module. And we're going to go through all of that stuff together as well. So hopefully you found some value out of this video and you learned some really cool things.
And then we are going to move on. If you did get value out of this video and you want to get more videos like this one, I encourage you to like, subscribe, and turn on the notification bell so that you get notified the next time that a video comes out on this channel on this pathway which is junior pentester. And if you're really interested in pentesting, then there's the CompTIA Pentest Plus playlist which is available. This weird screenshot that you see right here is the very first live stream I ever did during uh this was earlier today.
It was like a birthday surprise live stream that I did for the community. It was very wellreceived. A lot of people loved it. So, I'm going to most likely do more of those from now on just to make sure that people actually get to have their questions answered and we'll do an AMA and all of that good stuff.
And then there's the other playlist as well. So we have the CompTIO pentest plus which is uploading every Friday until it's done which is I think it'll happen in a few weeks. Network plus is already done. Hack anonymous exclusives.
We have CompTIO security plus done. Linux plus is already done. And then there's a bunch of other ones. Security engineering all the compilation.
So level two. Um cyber security 101 which is really big deal. Members only videos obviously. And then there's this is the actual sock level one section.
Sock level two and security engineering. So there's a lot of stuff. There's a lot of stuff that's available for you. If you don't want to browse or if you already know what you're looking for, you can just go to this little search box right here and then search for something.
So, for example, let's say Splunk. Let's say you want to learn more about Splunk. You search for it and there's a bunch of videos that come showing up about Splunk and how you can use Splunk. If you want to learn about John the Ripper for password hacking, you can search for John the Ripper and then find videos on that one.
There's a lot of stuff that's available. So, uh, just depending on what it is that you're interested in, what you're trying to do, you can find information on this channel. And there's over 390 videos, 397 as it stands right now, but by the time that you see this, it's most likely going to end up being 399. And I think my screen froze a little bit, so sorry about that.
So, there's a lot of stuff. There's a lot of stuff that's available, and there's a lot of stuff that's continuing to come out. And most likely by the time that you see this video, the channel will have grown to even a larger number and the video count is going to be even higher. And it's really crazy to think that we're over 25,000 subscribers and I've been doing this for I think a year and a half maybe something like that.
And that's just very humbling. It's like a really crazy experience. And I hope that you'll end up joining this community because there's a lot of content and a lot of value that I try to share with everybody and I want you to get access to it too soon. So if you have any questions or comments about what we talked about today, drop them in the comment section below.
Otherwise, make sure that you like, subscribe, and turn on that notification bell so that you get notified the next time that a video comes out on this channel. If you're serious about your SCIC education and you want access to me on Discord, consider joining Hackaholic Anonymous. We have four tiers, the supporter, agent, guardian, and master. Each tier gets their own Discord server, and early access to content.
The agent, guardian, and master levels get exclusive content, exclusive downloads, monthly Python automations, live streams with me every month, plus so much more. And to join, you can simply click the link in the description below, or you can go to our homepage and click the join button there, or you can go to youtube.com/hankhackshackers/join, and you will be able to join hackaholics anonymous. I hope I see you in the Discord chats. If not, I hope I see you in the comment section.
It's your boy Hank Hacker sent Hank Hacks Hackers, your favorite networking system attacker/protector. If no one else loves you, Hank loves you. love, peace, and chicken grease, and I will see you in the next video later. In episode 27 of the Junior Pentester training series, we are going to continue with our end map series of videos for network security and we're going to be talking about the postport scanning activities.
So, the things that you would do after the scan or to enhance your scans. And this is a part of the series that goes along with NAP. And of course there is all the videos that are inside of the network security module. So uh the next couple are going to be protocols and servers part two and one as well as the network security challenge.
So for this video we're going to be doing you know the introduction service detection uh OS detection and trace route end mapap scripting engine saving your output and of course the summary final thoughts and things like that. And then you will be dismissed for the day. the uh v uh the video or what am I saying? The room itself.
I'm kind of losing my thoughts here. Uh the room that we're going to be using is going to be inside of the try hackme platform and it was developed by Stratagos. Now, this is I think going to be the official pronunciation of Stratagos cuz somebody in the community told me that I think it's Stratagos. You know what I mean?
Like it's kind of like a a modified version of Stratagos. Maybe. I think that's what it is. Maybe.
I have no idea. The only way that I'll know for sure is if Stratagos actually hits me up and says, "This is how you pronounce my username." But anyways, that's basically what it is. This is a subscriber only room that's available inside of Try HackMe, meaning you do need a paid membership. However, if you have access to Nap on your own computer, then you can just go along with everything that we're going to be talking about in this video and you'll be able to implement all the exercises and learn everything that we're going to be talking about today.
So that is pretty much it for the overview for this video for NMAP post scans. And of course a quick note from our sponsor Hackaholics Anonymous and we will dive deep into the contents. Let's go. If you're serious about your sci-c education and want access to me on Discord, consider joining Hackaholics Anonymous.
We have four tiers. The supporter, agent, guardian, and master. Each tier gets their own Discord server and early access to content. The agent, guardian, and master levels get exclusive content, exclusive downloads, monthly Python automations live streams with me every single month, plus so much more.
And to join, you can simply click the link in the description below, or you can go to our homepage and click the join button there, or you can go to youtube.com/hankhackshackers/join, and you'll be able to join Hackolix Anonymous. Now, without further ado, let us jump into NAPAP postport scans. So, we have officially come to the last video in the NM MAPAP series. And in this particular video, we're going to be talking about service detection, OS detection, the scripting engine of NAPAP, and of course, s uh saving your scan results for further analysis after you're done scanning.
And in the first room, we learned about enumerating targets and discovering live host. Then, we learned about reverse DNS to find interesting names. And then, we talked about all of the different types of scan uh in the second and third video. And then now we're finally going to be talking about the detection of the versions of the running services, detection of the OS that's running, uh, end mapaps, trace routes, naps scripts, and of course saving the results.
And all of these things that you see right here, the ones that have been grayed out are the ones that we've talked about in the previous videos. And these are going to be the ones that we're going to be talking about today. And it's actually very straightforward. These things are quite easy to wrap your head around, especially if you've gone through all the previous videos.
So if you haven't gone through those videos, I do encourage you to check them out. But if you've already gone through those, the rest of this stuff is going to be a piece of cake. So, I'm going to make sure that our attack box has been launched and we actually have access to the virtual machines. And from there, we're going to run and gun.
Let's go. Okay. So, this is where your reconnaissance really starts to take off is when you start discovering the various services and operating systems that are running on these ports that we've been scanning. Because once you know what services are running and then what versions of those services are running, then you can really start doing some reverse engineering to see what kind of vulnerabilities actually would exist for those versions of operating systems or services.
And then from there you can go to a place like exploit database or GitHub or even try to write your own vulnerability or exploit I should say. And it becomes a really interesting experience because that's where the rubber really meets the road. So if you do a really good job of reconnaissance and research and finding out the versions of things and the the the operating systems and the potential vulnerabilities that exist for those things. You can use metas-ploit for example to find existing exploits that would exist for that given vulnerability or for that operating system and it you're off to the races.
You know what I mean? It's just that you have to do really good recon and enumeration and research to actually make the exploit part work well. And as we go forward with Junior Pentester and as the rest of the videos for CompTIA Pentest Plus get dropped every Friday, this becomes one of those common themes where if you've done really good research, the exploitation phase becomes incredibly easy, almost scarily easy because you already know exactly what you're going to be attacking for your attack vector. If you don't do good enough research or reconnaissance, then you go to try an exploit, it doesn't work, and then you have to come back and do more recon and research.
Then you try it again. Doesn't work. Then you have to come back in. So spend a lot of time on recon and research.
As the old saying goes, if you have 4 hours to chop down a tree, you spend 3 hours sharpening your axe. And reconnaissance and research and enumeration counts as sharpening your axe. And then you spend that 1 hour chopping down that tree and doing some very precise exploits because you know exactly what you're going to be attacking. And that's kind of the whole spirit of everything that we've talked about so far and as it combines for this video as well.
So when you use the lowercase S uppercase V, so SV, it's going to start collecting and determining service and version information for the services that are running on those open ports. And then you can look at version intensity level, for example, where the level ranges between zero, which is the high the lightest, excuse me, and nine being the most complete. So if you do for example SV version light has an intensity of two, version all has an intensity of nine. So these are the ver the ways that you can try to get as much detail as possible about those services that are running on those ports.
When you use SV, keep in mind that it's going to do the TCP 3-way handshake. So the connection, right? It's going to do another version of the connect scan that we did. It's just going to search for more information.
And this is a loud type of scan. So keep that in mind. If you're trying to evade being detected on a network scanner or a network monitoring tool, then you want to combine SV with maybe the slowing down of the the timing, right? Sending it at a paranoid level or as a careful level so it doesn't set a bunch of packets at once and at least it makes it a little bit easier.
Or maybe you want to fragment the packets that are being sent. There's a combination of things that you could do that we talked about on the previous videos to try to avoid detection of the firewall or the intrusion detection system etc. So if you do for example the connection establishment is very necessary because you can't discover version without actually establishing a connection. So when you do a stealth scan which is SS it's not possible to do SV at the same time because SV requires that full TCP 3-way handshake.
the stealth scan for example if we try to do this so we're going to do a comparison here so we have the output that shows the stealth scan with the SV option adding the SV option leads to a new column in the output showing the version for each detector for instance the case of port 22 instead of 22TCP open SSH we obtain open SSH and then we have the version of it Davian etc etc so the SSH protocol is guested as the service because the TCP port22 is actually open MAPAP didn't need to connect to port 22 to confirm. However, SV required connecting to this open port to grab the service banner and any version information. For example, in Jinx 162. Hence, unlike the service column, the version column is not a guess.
So, when you see this right here, the service column right here is a guess. It's guessing based on this is like the default port for SSH. This is the default port for SMTP. It's making those guesses.
But the version column that we see right here, this is actually done with that connection being established and then the headers are being pulled so that it can figure out that this is dovecot pop 3D for example. You know what I mean? So you it's a combination of the two. However, again just keep in mind anytime that you do this when you do the SV element of this it's going to establish a connection.
So many end mapap options require root privileges. Unless you're running end mapap as root, you need to use pseudo. And we're going to start the actual version m. I already started it.
So I think it's ready and up and running to go. Same thing with the attack box. I think it's ready to go. So what we're going to do start doing is just doing some version scanning of the target machine that we have here, which is 1010 18662.
So, I'm just going to copy this and the rest of it I want to type because I really do want to get this in my fingertips and really get a good understanding of how these commands actually go. So, I like typing most of them out and I know that you can copy it and just paste it. I understand all of that, but I just like typing it out. So, which service did not have a version detected with version light?
So, that's another question that we're going to get based on running this scan. So, we're going to go ahead and do our split screen here so that we can maximize this view and then we'll have a full screen version of the attack box and then we can open up the terminal and run that scan. So, just as a reminder, let me see what the command is supposed to be. Uh, end mapap sv and then we're going to do version light and then we're going to do the IP address.
So, here we go. Let's do this. I'm so excited about this. I love running anything on the command line because it makes me feel like I'm an actual hacker, which I am, by the way.
At this point in my career, I feel like I've learned enough to be like a decent pen tester. So, end map. And we're going to do SV like that and then version light like that. And see, I also have a mechanical keyboard.
So, it just makes it really fun to type these things. So, there we go. Now, it's running. And I think it'll take a little bit of time.
or maybe it just might be quick depending on what the the response would be. There's also other ways that we can make this a little bit faster for oursel by maybe uh shortening the number of scans that it does. So, by default, it'll scan the top 1,000 ports. As you can see right here, 992 were closed, meaning that we actually have eight ports that have shown up here.
And one of them is missing the version, which is RPC bind. So, that's what we get. Now, what it says right here is what is the detected version of 143? And it's Dovecot IMAP D is what it says.
So, we're going to type that piece out. Dovecot IMAP D. And then RPC bind was the one that did not have a version detected. Excellent.
So, let's talk about OS detection and using trace route. OS detection will be done with the capital O. So this is an uppercase O as in OS. That's the way that you can remember it.
Service or service version is the SV. These are the ways that I try to remember these various scan types. So uppercase O would be for OS and they actually combined it with the stealth scan. So that did work for them.
Uh NAPAP detected the OS to be Linux 3 something and then it guessed further that it was running kernel 3.13. So this is what we can see right here. So, it ran everything and then we get the versions of this or actually it's not where is it? I think it's towards the bottom.
Yeah, there we go. So, towards the bottom we see that it's running Linux 3 something and then the OSD details Linux 3.13 kernel 3.13 is what it guessed right. So, the system that we scanned and attempted to detect the OS version is running kernel version 316 and Map was able to make a close guess in this case. And in another case, we scanned a Fedora Linux system with kernel 51314.
However, NAP detected it as Linux 2.6x. The good news is that NAPAP detected the OS correctly. So, it is Linux, right? The not so good news is that the kernel version was wrong.
And this is what I mean when I say that you really want to do indepth reconnaissance because if it's actually running 3.16, there's a good likelihood that it has all of the errors that were patched after 3.13. Right? So 3.13 is older than 3.16 and there is what three or four I think three versions at the very least because 14 15 and 16 right so three versions that came after 313 and all of those versions had something that was updated including maybe some vulnerabilities were patched and so if you're basing your entire research based on this output right here and then you go and you try to find vulnerabilities that match 3.13 and then you're trying to run all these exploits that are attacking a 3.3 3 version of Linux and you come up short, it's because you didn't fully figure out that it was actually running 3.16 and now you're wasting your time and energy and then you have to go do more research, etc., etc. So, this is why we want to do full reconnaissance, right?
So, it's good to know that it's Linux. It's not so good to know that the kernel version is completely off, right? OS detection is very convenient, but many factors might affect the accuracy. First and foremost, NAPAP needs to find at least one open and one closed port on the target to make a reliable guess.
It is still a guess, but it's I guess as close to reliable as possible. The OS fingerprints might get distorted due to the rising use of virtualization and similar technologies. Therefore, always take the OS version with a grain of salt. Then we have trace route.
So, if you want to find the routers between you and the target, you can just do trace route. And in this example that we're going to see at the bottom right here, we appended trace route as the scan results and end mapap trace route works slightly different than the actual trace route command by itself or trace RT which is on Windows. So trace route is on Linux and Mac because they're based off of Unix and then trace RT is available for Microsoft Windows. So trace route starts with a packet of low TTL time to live and then it keeps increasing until it reaches the target.
NMAP's trace route starts with a packet of high TTL and then decreases it. So we did in this example end mapap SS so stealth scan we appended trace route to it and we can see that there are no routers or hops between the two as they are connected directly right so where do we see that trace route there we go there was there was one hop and it went from the the starting machine to the target machine right so one IP address one in the middle and that's basically it many routers are configured not to send ICMP time to live exceeded which would prevent us from discovering their IP address for more information. We can look at active reconnaissance which already has been done. So if you haven't seen the active reconnaissance video inside of Junior Pentester, I would recommend you go check that out because active reconnaissance we talked about trace route and we looked at different examples of running trace route to find the number of hops that a packet will take or a connection trying to get established will take.
And it's always random. It's never going to be the same exact number of hops. Even though in that specific exercise when we ran it, it did give us the same number of hops, but usually it's not going to show you the same number of hops with the same routers that it took or the same paths that it took. It's typically going to give you a bunch of different IP addresses every single time that you run it, but that's for a different room.
So, if you have not seen active reconnaissance, go check that out as well. So, now we're going to do end mapap with the O option against the target which we had right here. So, I'll copy that again. And so again, we're just going to go over here.
And as a good practice, I always keep saying this, but for whatever reason, I forget to do it. And when I do it, actually on my own exercises, I promise you I do do this. So end mapap O. And then it said do it with trace route.
No, we're just doing O. And so we're going to paste this piece right here, right? And then this is what I always say, just do V at the very end just to get some verbose output. So it shows you as it's finding them.
See, it says it discovered these and it it's going to do the rest of the stuff as well. And then it's going to generate the final report for you. And you see how that it's now finding all that stuff. Look, it found all these other information, the TCP IP fingerprint and the various OSS that it tried to detect or guess.
And all of this stuff is showing to us because we actually did that -V for the verbose output so that we can get some detailed output. Right? So now we have all these various OS versions. This is the uh the full report that we have right here.
So what's it's asking what what's the question here? It says what OS did end MAPAP detect and the operating system. No exact matches if you know what's running TCP IP fingerprint OS scan etc etc. Let's see what it guess the the guess.
What's the guess? Where is it at? So I did run it again without the -v just in case it would try to find some kind of response for us. But it still said the same thing, right?
So, it said no exact OS matches were found, but if you know what's running, you can just search for it on the actual or you can submit it to the nmap.org website. But over here, if we just go through the information that we get right here, we can see that it says PC Linux GNU. So, we can detect that it's potentially Linux cuz there's a lot of information that's over here. But through all of this jargon, we can detect that there is Linux right there.
So, I'm going to just go ahead and type out Linux. And there you go. That's the actual answer. So whether or not you do -v, it seems to be that it'll still give you the same exact output and it's up to you to try to find whatever the response might be in this uh guess that it's making because no exact match was found, but it did make its best guess.
So let's now talk about all of the scripts that come inside of the end map scripting engine, which is actually really freaking useful. It's really awesome. So, in case you don't already know, a script is essentially a piece of code that doesn't need to be compiled. It remains in its original human readable form and doesn't need to be converted into machine language uh or assembled is another way to talk about it.
So, many programs provide additional functionality via scripts. Scripts make it possible to add custom functionality that did not exist via the built-in commands. N MAPAP provides support for scripts using the Lua language and the NM MAP scripting engine is a Lua interpreter that allows NAP to execute N mapap scripts written in Lua. We don't need to know Lua to actually make use of these scripts.
We just need to know how to refer to the N mapap scripts that actually exist. Now when you go to the end MAPAP installation folder, it's in our particular case, it's inside of this location. So it's basically wherever end mapap is installed. If you find that specific portion in your file system, there's inside of this folder, there's going to be a scripts folder.
And inside of the scripts folder, you'll be able to find a bunch of scripts that are in here. So, these are some of the scripts, right? And there is one in particular that I'm actually really, really interested in, and I believe it is called the VULN. There we go.
So, there we go. So you have the VULN and then it shows all these different CVEEs that it can potentially scan for which is actually very freaking interesting. So it'll try to go for all of those. If you specifically use each one of these, it'll go for those.
But there is another one that actually just goes for all of the vulnerabilities. And I'm trying to find that one in particular because I think it's like HTTP vault in general or whatever that is. So, I will go ahead and try to find it for you. I might have to Google it, but let's see.
Let's see. Let's just go and ask Gemini real quick. Okay. So, it's actually just script vone.
So, script vuln and it'll scan for any and all vulnerabilities that it can potentially find. it is a good idea or I think it's like a requirement to do the SV option here as well because it enables service and version detection and many vulnerability scripts rely knowing on the service and version to accurately check for vulnerabilities and then you just do that combined with the script vone option and it will do what it's supposed to do. So that's what it is but I mean as you can see right here there are very many other scripts that exist here as well. So you can specify to use any or a group of these install scripts.
Moreover, you can install other user scripts and use them for your own scans or you could just have Gemini write one for you. You know what I mean? Or Grock or GPT, whatever your favorite AI is. So we're going to go through some of the default scripts and you could do script default and it'll just use the default scripts or just doing the dash s lowercase S uppercase C.
In addition to the default categories, there is authentication, broadcast, brute force, default, discovery, DOS, which is denial of service, exploit, external fuzzer, intrusive malware, safe version, and vone. There we go. A brief description is shown right here. So, O was look for authentication related scripts, broadcast with discover hosts by sending broadcast messages.
Brute performs brute force password auditing against login. This is actually very handy right here. Default scripts named as uh lowercase s uppercase C. Discovery retrieves accessible information like the database tables and DNS names.
DOSS is for uh servers that are uh vulnerable to denial of service. Uh exploit attempts to exploit various vulnerable services. Uh external checks using a third-party service like Geo Plugin and Virus Total to try to find vulnerabilities. Fuzzer launches f uh fuzzing attacks.
intrusive scripts such as brute force attacks and exploitation. Malware scans for back doors. Safe. What?
What did I just do? I just clicked tab and it brought me all the way to the top or bottom. Where am I? I don't even know where I am now.
There we go. Okay. Safe scripts that won't crash the target, retrieve service versions, and of course checks for vulnerabilities or exploit vulnerable services. So, some of these scripts belong to more than one category.
Moreover, some scripts launch brute force attacks against services while others launch denial of service attacks and exploit systems. It's crucial to be careful when selecting these things if you don't want to crash services or exploit them. So, we can use end mapap to run a sin scan against the target and execute the default scripts. And the command is this right here where SC would be the default scripts.
Uh there are some details that will appear and we can even get all four public keys related to the running server which is very useful as you move towards your exploitation phase. And another example potentially could be that the HTTP service at port 80 and map retrieve the default page title. And this is it gives you a much larger response when you use any of the scripts than if you were just doing a normal scan. So for example, this is all the data that came from port 22, right?
And then port 25, this is all the data. And then port 80, this is the data. And then etc, etc. For each port, it gives you more information than previously uh ran scans that we've done so far.
So just based on what we've done so far, if we look at this right here, for example, this is it, right? So these are all the ports that were available here. But you can see that it's just giving us this basic information. And then when we look at the vulnerability output or the the default script scan that was done, it was giving us a lot more information.
So you can specify the script name by using script and then giving the script name or doing something like script and then doing something like FTP and then an asterisk which would include FTP brute. Essentially the asterisk is the wildcard character and it'll get replaced with anything that has FTP in it. Uh if you're unsure what it does, you can open the script file with a text reader like less on the command line or just a text editor. And in the case of FTP brute, it says that it states that it performs brute force password auditing against FTP servers.
And you got to be careful as some scripts are pretty intrusive. So if you're trying to be uh if you're trying to avoid detection, you may not want to use something that has brute in it because it's going to try to brute force something. So you definitely want to avoid those things if you're trying to avoid being detected. Some scripts might be specific server and if I chose a random, it'll waste your time with no benefit, which again goes back to doing really good reconnaissance so that you only use the things that are relevant to you.
So if we do HTTP date, it would retrieve the server date and time and it's confirmed in the description, right? So it gets the date from HTTP like services. Also, it prints how much time or how much the date differs from the local time. So, we would do this as the full script or the full command to run the HTTP date script.
And so, we would run it and then it says HTTP date Friday yada yada yada 0 seconds from local time. So, it's assuming that it's basically running on the same time that this person was when they were running it. So you might expand the functionality beyond the official script and you can write your own script or download scripts from GitHub for example. Downloading and using an end mapap script from the internet holds a certain level of risk because it could potentially be embedded with malware.
So if you're going to do this then paste it inside of uh Gemini or Grock or GPT and be like hey is there any malware in this? Is there anything inside of the script that I need to worry about so that you know it doesn't mess up my network or my computer or anything like that? So let's see what the question is. It says knowing that the scripts are saved in end mapap scripts what does the script HTTP robots check for?
So we can go ahead right here and essentially we can just append it to the end of this and we can just do less for example and then put this at the end of that. So it's http robots.txt. So I can go right here and do something like excuse me sorry about that. Uh so we can do something like you know um less and then we would give it the full path right and then at the end of that we would do http robots.txt and it says there's no such file directory.
So what's the http robots.txt that's what it's supposed to be. So okay why don't we do this then? We're going to CD to that location. And let's see if we can actually find that script.
http robots.txt and and and is it here? Ah, see I see. So it says nse at the end of it. So that's the piece that we were missing.
So http robots.txt.n is what we need to do. And there it is. now tells us what it potentially can do. So, it checks for disallowed entries in the robots txt on a web server.
And that I think is the description that we're really interested in. Oh, if I scroll up, it won't work. So, what if I click up? Click up doesn't work either.
So, okay. So, sorry about that. I know that noise when in the recording is a little bit more annoying than it is. So, it checks for disallowed entries.
So, it checks for disallowed entries. Can you figure out the name for the script that checks for the remote code execution vulnerability? This piece right here. So, we already can do that.
So, I'm going to escape out of this. Right. Can I escape out of that or control C? How do I escape out of this?
That's so annoying. Okay, quit. So, Q for quit. That's the one that you would do to escape out of that.
Now we're looking for the CVE 2015 1635. So that's the piece that we're looking for. Now what I can do is this. I can do ls and then gp it to uh what is it?
CVE, right? CVE 2015 1635. So we'll do it like this. CVE 1635.
And okay, maybe that's not it. Okay, I had to try a few different tactics. So grip by itself obviously doesn't work. I forgot my own teachings with Linux.
So I feel I feel a little bit ashamed of that. But it took me a few different tries to try to figure out what I was trying to do here. So all of these things are in lowercase. So when you do GP without applying a case insensitivity, then it'll search for the actual capitalized version or whatever it is.
It'll try to search for it literally. So when you do ls la and then you grab for something if you want it to be in caps lock or if you don't know if it's in caps lock you can do case insensitive by doing dash i. And then the other element of it is making sure that you have the uh the preceding and succeeding um asterisks to account for anything that might come before or after your keyphrase. So in this particular case there we go.
So we have it. So it's HTTP vone 2015 yada yada yada. That's the piece that we are looking for. So we should just paste that and that's the answer.
Excellent. Okay. So now we're going to go through this after you ensure that you've terminated the VM from the task two. So is there another one that's over here?
I guess there's another virtual machine that's inside of this one, huh? So after we've terminated that, we need to go ahead. Yeah, there's another machine here. So I'm going to terminate this one.
I'm going to launch the new one that's inside of this specific task. And then we're going to run this scan at the bottom right here, which is the the uh default script scan. So when we run it, it says you'll notice that there is a service listening on port 53. What is the full version value of that service?
So let us I'm going to wait for the the machine to launch and then we'll go ahead and run it. All right, cool. Now we have the IP address assigned to us. So we're going to go ahead and copy this piece and we're going to do a default scan.
Right. So let's go ahead and see what we can do here. Um I'm just going to stay in the current folder that I'm in. I'm just going to clear the screen just to make it a little bit easier for us.
So we're going to do N mapap and we'll do SV and SC and then we're going to paste the response here. and let's see what we can learn about this IP address. And the question specifically that we're answering here is there's a service listening on port 53 which is the DNS port. So what's the full version of the DNS port which would be responding to us.
Now interestingly enough I only get port 111 open. So that's interesting. So let's do SC just by itself and let's see what that does here. Maybe I shouldn't have done SV.
Okay. And it's still only giving me this one port. So now what we're going to do is we're going to give it the specific port of 53. 53.
53. And then we're going to do SC and give it the IP address. Let's see if it get gets anything for port 53. So this is what's really interesting, right?
So when I ran it just by itself, it only showed me port 111 being open. And then when I ran it specifically against port 53, it pulled some information about port 53. And so the bind version is right here. And this, I believe, is what they're looking for for us.
It's so weird that it didn't show that when we just ran the default scan by itself. So there we go. That should be the answer right there. Based on the description, descript SSH2 enum algos reports the number of algorithms for encryption, compression and etc.
that the target SSH2 server offers. What is the name of the server host key algorithm that relies on Shaw 512 and is supported by this? The name of the server host key algorithm. So let's go ahead and run it on what is it?
It's on port 22. So it would be SSH2 I would assume. So now we're going to do the same thing here. I'm just going to do the port 22 scan and we'll do this.
And actually so maybe not even that. I think we should be doing SSH enum algos. So that's what we should be doing. So instead of doing the default, we're going to do the script.
So actually I'm going to do d-cript and then that equals to uh ssa come on equals to ssh enum algos. Let's see if that's what it is and fail to initiate. Let's see um I think my syntax is incorrect or ssh enum algos. My syntax was incorrect.
It needs to be yeah script and then like that. So we'll try it again and it needs to be SSH2 enum algos. So one more time end map. This is the this is the one right here.
Script. And then we'll do SSH2 enum algos in quotes. And then we'll give it the Oh, I didn't give it the the I didn't give it the IP address. That's probably why it didn't work last time.
So 1010 1641 134. And there we go. Boom. Look at that.
A good amount of information. Now, we're looking for the response to which one? Shaw 512. The algorithm that runs Shaw 512 and is supported by that.
So, if I come here, it's RSA Shaw 512. I think that might be the one. So, we'll just copy that for now. Let's see if there's anything else that has to do with Shaw 512.
The Algo server host key algorithm. I think that's the one that we're looking for. And there's nothing else that would be relevant to that. So we'll paste that.
Is that the answer? That is indeed the answer. And so we have another one now that there's going to have its own virtual machine. So we're going to terminate the old one and we're going to launch the new one and we're going to read through this and by the time that we're done reading it, the new machine should be up and running and then we can just run the scan.
So let's talk about saving the output. So, whenever we run a scan, it's only reasonable to save the results in a file. And there are a few different ways that you can do this. And one of my recommendations always is to append the results to a scan file instead of overwriting them or instead of creating multiple files.
Uh that way you can have one comprehensive file and uh save a bunch of different outputs for the same target. Right? So this is assuming that you're running it against one target. If you're running it against multiple targets, then in that case, you would want to save them in separate files.
But if you're running a variety of different scans against the same target, you want to append your results. And then I'll show you how to do that as well. So when you save the results, there are a few different formats that you can uh gra uh grab, right? You can extrapolate or kind of expand upon.
So selecting and adopting the naming convention is also crucial to make it simple for you and the number of files can go. So your ability to be able to find a previous scan will end up being very difficult. So again you want to append them. So normal greable meaning being able to g it or search through it.
And then there's the XML version. And the fourth one that we would not recommend would be the script kitty, which if you know what that is, it's basically people who copy scripts from or copy malware and things like that from across the internet and use it for their own. But if you're using scripts or malware or anything that's been pre-established, exploits that have been pre-established, there's a really good chance that it already exists inside of the database for an IDS and it can detect the signatures for that. So when you run it, you'll automatically be blocked and it doesn't work very well.
It it just it hinders your process. So it'll block your IP address. They'll block your MAC address most likely and maybe your even your subnet or whatever. So you want to stay off the radar as much as possible.
And if you use a script kitty format there, there's a very high likelihood that there's going to be some kind of signature, some kind of file signature that's going to show up and it's going to block your scan and even get you blacklisted. So, as the name implies for the normal output, it's basically very similar to what you would get onto the screen, right? So, the machine IP scan.nmap, this is the first output that we're looking at, and this is what it looks like, right? So this is the file that was saved and so it just looks normally like what it would if you were just running end mapap into your terminal.
Gpable is what you can search through. It comes from the global regular expression printer and it makes filtering the scan output for specific keywords easier. So you can ska save it in grippable format using the og lowercase O uppercase G and then giving it the file name and it would save it in a grippable format. If you just did - O by itself, it would save it in the output, which would be a normal output.
And the normal output is 21 lines. However, GPable output is only four lines. And the main reason is that Nap wants to make each line meaningful and complete when the user applies GP. As a result, in greable output, the lines are long and are not convenient to read compared to normal output.
So, you can see these are the four lines that we have. And if we scan to the side right here, we'll get a bunch of stuff. So all the ports, port 80, all of these things are now on the same line. So if you were to search for 110 for example, it would bring you this entire chunk, which is actually handy.
It's very useful to you. But when you're just reading through it by using cat, it's not very very user friendly. It's not human readable friendly. So if you were to GP for the keyword inside of the text file, it'll display all the lines containing that provided keyword.
So if we take the output of grip on normal output and the grippable format you'll notice that the former does not provide the IP address of the host instead it just returns this piece making it very inconvenient and however the ladder provides enough information so this is the former and this is the normal output and then when you do the greable format you can see that it gives you the host the ports etc etc so it gives you everything uh including that IP address and this one just gives you the line with the the port on it. So it again it's not it's not user friendly when you are reading through it manually but when you want to gp through it and search through it it becomes very handy when you use the greable format. XML is very similar to HTML. So you can do o x lowercase o capital x and it would be the most convenient to process the output in other programs.
So if you want to actually load it into something else. XML is very organized, so it can be read very it can be read easier than if it was just a normal or greable output. So you can save the scan output in all three formats by doing O A and then it'll create one in normal, grapable and the XML format. And then the script kitty is useless if you want to search the output for any interesting keywords or keep the results for future reference.
But you can always save it for that if you just do O S, right? Cap uh lowercase O capital S. And this is what it kind of looks like I guess, right? So the script kitty like host is up is now turned into this weird thing.
Not shown is it's all very weird. Like the the formatting of this is very weird. And I think it's even irrelevant in the concept of a script kitty detection. I I thought that it would be formatted in a way that maybe it would make it hard for us to use this somehow or maybe that the scan that we're doing would show up in the detection, but it has nothing to do with that.
It's just this weird formatting in the syntax that makes it I guess you can read it, but if you were to try to search for service without actually typing it like this, then you wouldn't be able to find anything for the service. So, okay, whatever. Um so now uh in the previous task we terminated it on the attackbox terminal issue the command secure copy and we're going to take it and we're going to take everything from the home pen tester and we're going to save it to our local drive and we're going to download the end mapap reports in normal and grippable formats from the target machine and the username pentester has the password thm17577 which is what you would need to do to copy anything and we're going to check the logs how many systems are listening on the http PS port. So, this is going to be an interesting little exercise here.
So, first and foremost, we're just going to save this. So, I'm just going to copy this right here just to make our lives a little bit easier. And I know I'm contradicting what I said previously. And I want to come out of where I am right now.
So, I'm going to go to the uh roots. And then from roots, we're going to go to actually we're going to go to this location because that's our root users location. And then we'll go to the desktop and in the desktop is where we'll save it. So we're going to do this piece right here.
Enter. And yes is fine. And THM, what was it? THM17577.
There you go. And there you go. So it saved these for us. Okay, great.
So now check the logs. How many systems are listening on HTTPS? So we're going to do this. We're going to do cat and we're going to do the greable format.
So I'll do scan 172. Oh, whoops. 17217 network and then GN map if I can spell right. And we're going to scan for HTTPS.
And nothing came out of that. So I'll do the same thing. And I'll do case insensitive and scan for that. There we go.
So what do we have? We have um host one right here has HTTPS. Host two has HTTPS. And host three has HTTPS.
We have the IP addresses and they all have HTTPS. So I'm going to say three would be our answer. Great. What is the IP address of the system listening of port 8089?
So we'll do the same exact thing. And now instead of doing that, we'll do 8089. And the IP address, there's only one machine that's actually listening on it. And this is that machine.
So we'll copy that and go over here, paste that. There we go. Officially, we have gotten all of the answers. Hopefully that was not too crazy.
Hopefully you understood what I just did right here. It's basically a very simple cat uh command and then we just grapped case insensitive to just make sure that you can search for whatever you want. And on the first one, I searched for HTTPS. On the second one, I searched for 8089, which is the port that they were asking for.
And just like that, my dear friend, we have finished all of the questions for this one. I was in a little bit of a rush as I was doing this recording, so I apologize. cuz I was kind of reading really fast and I was talking really fast. So hopefully that didn't bug you and you were still able to keep up with me.
All right, so in summary, we have gone through a variety of different options here. So we did the SV for version scanning and let me see if I can zoom in on this so it's easy. There we go. So SV to ver uh get the service and version and then you have version light that tries the most likely probes.
Version all tries all of them. You can also do version zero or version five or version 9 something like that. Capital O was detecting of the OS. Trace route runs the trace route to the target script and then the name of the script will actually choose the script script to run for you.
Whichever script you assign right here in the placeholder right there. The lowercase S uppercase C will run the default script. Uh capital A, we didn't really talk about this, but this will run everything. So, it's going to run all of these elements for you.
It'll run the service, the operating system, and the default script for you. And this is going to take a while, by the way, because you're doing essentially four activities for each port and each IP address, assuming that you assign a subnet to be scanned. Uh, O N will output it into normal, og will output it to greable, ox will output in XML, and O A will save them in all of those formats. And that's pretty much it for our postcanning.
And this is a tool that takes a lot of practice to get used to and to become friendly with. So it's not something that you can learn in just a quick series of videos. And my recommendation is get it downloaded or get access to one of the free attack boxes on Try Hackme because they have a bunch of free rooms that have access to the attack box and that attack box will have end mapap installed on it. So go nuts, right?
Practice. Go look at the manual for end mapap and look at all of the various options that it has. Read through them. Go read through some of the scripts that are available, the things that might be most interesting to you and just try to get that information in your system in your mind at the very least just so you understand.
Oh, you know what? I think I remember that I read something about this one type of script that was available in N map. Let me go check the list of all of the scripts, right? So, that's kind of what you want to do.
At the very least, expose yourself to the information so that when the situation when the the opportunity presents itself, you will know what is available to you and then you can go specifically to find that for yourself. But apart from that, that was it for this one. This is probably the shortest one that we've done in the end map series of videos, and I hope that it was actually valuable to you. If you did indeed find value in this video and you want to get more videos like this one, I do encourage you to like, subscribe, and turn on the notification bell so that you get notified the next time that a video comes out on the channel.
And feel free to browse through the rest of the videos that are on the channel. There's a lot of great stuff that's available. We obviously have the completed playlist and we have the playlist that are being worked on right now. So, for example, comopentes plus is actually being worked on right now.
Network Plus is already done. This is exclusive to hackolics anonymous. We have security plus already done. We have Linux plus already done and I have a bunch of other ones as well.
For example, security engineering compilations, uh, sock level 2, uh, SCIC hacking case studies, cyber security 101. This is a really, really big one. If you haven't gone through this, I highly, highly recommend it because it'll fill in a lot of the gaps in your foundation and in your basics. And once you finished SCIC 101, then you can choose if you want to go into defensive security or offensive security.
And in defensive security, you would go through sock level one, sock level two, security engineer. In offensive security, you would come back to the junior pentester and then go complete comtio pentest plus etc etc. And there's a lot of great content that's available here and there's a lot of standalone videos as well. So if you actually come over here to the search box and just search for Python for example, there's a lot of cool videos on here.
Building algorithms for cyber security. This is actually one of the more popular videos that are on this channel and it takes you from the very basics of Python, how to install it, how to get your first IDE, how to write your first program and then it builds you all the way up to learning how to write algorithms in Python for cyber security and it's a really really good video. I've gotten a lot of great feedback from it and it's very handy. It's very useful for a lot of people.
So, I encourage you to explore the videos that are available on this channel and expand your skill set as much as you possibly can to prepare yourself for the more advanced pen testing and everything else that we're going to be doing. So, that is pretty much it. If you have any comments about what we talked about today, make sure you drop them in the comment section below. If you have any questions, drop it in the comment section below.
And of course, like, subscribe, and turn on notification bell so that you get notified the next time that a video comes out on this channel. If you're serious about your SCIC education and you want access to me on Discord, consider joining Hackaholics Anonymous. We have four tiers. The supporter, agent, guardian, and master.
Each tier gets their own Discord server, and early access to content. The agent, guardian, and master levels get exclusive content, exclusive downloads, monthly Python automations, live streams with me every month, plus so much more. And to join, you can simply click the link in the description below, or you can go to our homepage and click the join button there, or you can go to youtube.com/hankhackshackers/join, and you'll be able to join hackix anonymous. I hope I see you in the Discord chats.
If not, I hope I see you in the comment section. It's your boy Hank Hackerson at Hank Hackshackers, your favorite network and system attacker/protector. If no one else loves you, Hank loves you. Love, peace, and chicken grease.
In this video, the presenter explains how to use Nmap, a network mapping tool, to scan devices on your home Wi-Fi or public networks like those at Starbucks or hotels. The tutorial covers how to install Nmap on both Kali Linux and Windows, and demonstrates how to identify devices connected to a network, including their open ports and services. The presenter emphasizes the importance of ethical hacking, warning viewers that unauthorized scanning can lead to legal consequences. Additionally, they provide a step-by-step guide on how to perform scans, interpret results, and even generate reports in HTML format for easier analysis. Overall, the video serves as a practical introduction to network scanning and potential vulnerabilities.
today you'll be learning how you can use mmap a network mapping tool that will allow you to scan devices with your own home Wi-Fi network all possibly let's say you go to a free Wi-Fi network like Starbucks Hotel Wi-Fi the apports Wi-Fi and so on and from there you'll be able to detect all these different devices within the network and look for possibly entry points to give you access into those devices I kid you not at the same time if you have Mr hacka as your neighbor then what happens is that he may somehow doten your Wi-Fi password and he is within your network you'll be able to identify just that pretty cool huh let's go ahead and get started so right in front of us we have col Linux running and over here what you can see is that we can go ahead and open up terminal and I can zoom a little more so it's easier for you to see and all you got to do is enter n map and from M map you can see all the different options that we can highlight here in order to run a scan against the network or against the target devices or websites and you'll be saying what if I'm on a Windows computer in that case case what you can do here is you can go into Microsoft Store go and ENT the K Linux in the search View and click under install so once you have installed K Linux on your Windows computer you will be able to then use map to likewise scan all these different devices within the network or on the Internet over through the internet using Color Linux using app app that is also likewise installed and available within your Windows computer so right in the middle you would have your own home router all right or possibly you're connecting through Starbucks free Wi-Fi and so on and then of course on the right side you would have your own computer so your own computer could be a laptop it could also be your mobile device where you have n map installed and once you have that as long as you connected to the network you'll be able to scan the network looking up for other devices within the network that you can then be able to look out for say does this have remote desktop protocol open does it have say SSH open does it have say a web server that is open up so once you're able to discover all these different Services you'll be able to use subsequent tools or even scripts from map to launch attacks against all these different connected devices and yes I know the Wi-Fi route that I'm drawing here looks like a TV and not only that let's say from your own personal computer you'll be able to launch attacks against all these different sites across the internet say for example you go to L ley.com and then you launch a attack against the site looking up for possibly different type of ports to open say port 80 Port 443 Port 445 and so on so forth and see which one of them open that you can possibly Target with subsequent tools like say mploy like say boot forcing attack tools and map scripts and so on and don't bother attacking Mr heck loy's website because I will find out your IP address and remember kids before we go any further hacking is illegal and when you scan a website using mmap when you scan another device using mmap many of this intrusion detection systems or firewalls will be able to pick pick up hey there is this IP address they're running all the scans in our Network let's go and find out who is this person and if you get found out that's it it's game over for you and the most important thing of all is don't tell them that Mr healong taught you all this all right so use case number one let's discover all network devices with ins say the Wi-Fi router that you connected over into the first thing you can do is enter IP addr and from here you'll be able to uncover your IP address so over here you have 1 A2 1 68.0 1117 sl24 all right so with that we'll be able to go ahead and launch a scan against the network so you can see over here with mmap follow by- SN so this means no port scan so this help us speed up the scan against the entire network and Then followed by over here 1 1821 168/24 so we scanning all right all of the IP addresses with been2 1680 and then one all the way to 255 so once you're ready for the scan go ahead in 3 2 1 hit answer and right now we're scanning against all these different IP addresses and right here we can see which one of these devices are up and running so you can see over here we have the list and from the list you can see we have1 is host up one11 1 0 and so on so farth so this help us identify all those IP addresses that we can potentially Target later on and from the list over here what we can do is go ahead and Target a specific IP address so in this case let's say we target 1821 16801 184 so you can see over here we have the instructions of nmap against the IP address of CR in the real world you can also be targeting a specific domain name say ly.com so when you go ahead and hit enter on that we're using the default settings that comes along with the default scan and immediately from the default scan we'll be able to see all these different Services as well as its Associated ports that are being open and the protocol of TCP and so on so forth so this help us understand what are potential Services is open so it's like a house how many windows are open how many doors open that we can possibly have an entry point over into the device however that is typically not sufficient for us to launch an attack against the service so what we need here is typically - SV this stands for service version so what it does is that help us identify specifically what is the version of that service so that we'll be able to look up and see if there are any common vulnerable exposure or exploits that's available for us to Target against that service and once you're ready go ahead and three two one hit and thr and that and this will take a little longer because right now we're going deeper we're probing deeper we're enumerating deeper so it takes a longer time for us to get those results so hang on tight get a cup of coffee and come back in a second boom done we now got the service version so you can see right here we got a lot more details than the one earlier so over here in this case you can see op SSH 5.3 P1 Apache all right 2.2.14 Cory IMM and so so far all right the leas goes on so this are all the specific versions of the service that's running on that computer so say for example we can use search sploit to search up say open SSH 5.3 P1 which is the service version We uncovered earlier for Port 22 when I hit enter on this we can look up all of these potential exploits that we can use as part of launching the attack against that specific service at the same time we can also launch matlo so that from maty we can directly use a much more interactive option to gain direct access to the run of the exploit so in this case we're starting up the M exploit framework over here and what I can do is once more I can do a search on open SSH so I do a search open SSH all right and we can see over here we have several modules that are available for us to use so in this case we have say a exploit Windows local auxiliary scanner SSH enumerate users and so on so forth so all this are also the other options that we can use against a specific service version and we also have the option of using mmap scripts to help us run say boot Force attack against the login VI of Port 22 which is secure shell so in this case as you can see over here we have the following of-- script SSH brute all right followed by the script arguments all right so in this case we have the user database and user database is pointing over into this common username St txt followed by the pass DB all right in this case we also have the common password.txt and of course the script argument of SSH Brute Force timeout and of course finally with the target IP address and once you're ready in three 2 one hit anthor and d and you can see right here we're trying the username password pair to see which one gets us a hit all right I got some seriously bad news we are not able to gain access to the service of secure Shell through a boot Force attack so we have to use other methods now before we go over to using other exploits is something really cool here that generates a report for us so what you can see over here is we have nmap as the network mapping tool T5 for agressive and- a is to use some of the default scripts OS detection and all these different options is available for us- V for theose and a Target Network so in this case we are once again scanning across all the IP addresses and output into a network map XML file which will then later convert so that we get a view or a graphical view of what's going on across the network so once you're ready in 3 2 1 H an and that well this does take a wall we were scanning sever host we're scanning the parts we're scanning using all this default options so it takes a while so in the meantime go ahead and grip yourself all right 10 cups of coffee while we wait for the results all right so the scan has completed and we scan across all these IP addresses and you can see over here we have the results for each of the IP address including all of this different version information so what we can do now is we have to F so if you see over here on the previous command we have to follow of network map. XML so if I go ahead and open up say FX Network dm. XML hit enter on that it shows us the information over here but it's pretty hard to read it's not really human readable so what we need to do then is is there a way for us to convert it into a very beautiful format so that we can see exactly what's going on in a report format so right here we're using xslt Pro do/ Network map. XML followed by- output Network dm.
HTML so we're converting this to a HTML file so all I going to do right now is again using Firefox I'm targeting into Network dm. HTML hit enter on that and boom you can see right here we have really beautiful result format so you can see all the IP addresses and of course if I zoom in a little more so it's easier for you to see as I screw down further all right we can see okay for this specific IP address what are the open ports okay and we can see the results over here right and I scroll down further okay we can see possibly other live hosts of course we can always easily click to expand on them all right so these are the things that we can do right here all right so we got another one or IP address 18268 z101 I can scroll down further and you can see some other interesting information over here as well so we got the IP address of 1821 1680 1110 right Port 80008 89 all right 8443 and so and so forth so all this are the different IP addresses that we have within the network and you can easily do a scan like this in a cafe in the appon lounge at the hotel and you'll be able to uncover all these different IP addresses that you can easily Target later on say for exploit and if you recall earlier we were having our own computer over here and we were running all these different scans against and other possible devices across the networks and so on and so forth and what happened then was that we had a list of all the services and the service versions that are running however we had to do a manual check so we had to go over into search exploit we had to go over into met exploit and then from there we had to list all this different types of service versions and see whether there are exploits available for it but what if within nmap alone itself we are able to get those results directly that would save us a lot of time and a lot of trouble having to use multiple different tools why not just use one script scan against the target device and be able to list out all those common vulnerable exposure possible exploits for it and that would save us lot time effort and I'll be teaching you just that so all we got to do right now is ensure that we indicate D- script vaugh all right so in this case we're targeting a singer Port so this is the singer Port we're targeting and seeing whether there are any possible vulnerabilities that we can go after so you can see right here we have completed the scan and we have found certain vulnerabilities so we have a following of Apache by range F through dos denial service attack all right so this is the CV number 2011 3192 all right it's vulnerable to a denial service attack when numerous overlapping bite ranges are requested all right we can also see that there is a HTTP Trace is enabled all right interal IP licked all right we have the HTTP cookie flax cross domain policy or right cross domain and client access policies vulnerable and we also have the cross-site request forgery or spider spidering limited to Mex dep and so on so forth so we have all this different information as well right so we are uncovering all these vulnerabilities within the port ad service all right so in this case we also could look at enumeration so we see there is a/ WordPress SL test/ monono PHP my admin so all these are the additional Pages we have found within the site that we can go after all right so you can see over here potentially interesting folder with directory listing so it shows us the list of directories is available all right so we can see all this information directly from here and right here we can also use map to Target specific services so in this case we're targeting Port 139 445 using a script of SMB OS Discovery enumeration of the shares and enumeration of users against another IP address so again we can use this for a set of IP addresses or a specific device so once you're ready hit enter in three 2 1 hit enter in that and we can see right here we're able to figure out what are all the different directories that we have access into all right so this is a way for us to very quickly be able to uncover all the different accessible directories of a Remote device and this time around you can see right here we're targeting two ports so in this case put 139 445 a specific IP address and getting the service version of it so so we are trying to look up specifically for certain vulnerabilities in a Target device and we got a result and with a result right here we can go ahead and say look over for this potential exploit and say m spoit that can allow us to go ahead and possibly gain direct access over into the computer so you can see right here I am on M sploit and all I got to do is say enter search Follow by SMB all right so we can see lots of results I can just search for a sbar and over here we can use a specific exploit again you do have to test out several of these exploits and see which one of them would work so you have to read a little more understand a little more and see what's going on so in this case we will use exploit multi sunbar user map script so let's go ahead and enter use 8 enter on that all right so we have here the default payload which is CMD Unix reverse netcat enter show options so right now all we got to do is quite simply enter set our host 1 i26 68.0 212 so this is the target IP address hit enter on that and right here you can see under the payload options we have already set the payload which is lhost which is your call Linux or the attack us machine in this case we2 1680 to17 L Port the listening Port of course in this case we have 4444 all right so once you're ready all you got to do right now is go ahead and enter exploit hit enter and that and we'll see if we get a results starting or stter reverse TCB Handler command shell Session One open so we are in I can enter PR working directory I can I can enter who am I we are in it's game over enter LS we can see all this different information right here which means that we have now remotely control the device
The video discusses the importance of inventorying network devices and how to use Nmap, a popular open-source tool, to achieve this. It demonstrates basic scanning commands to identify devices and their open ports, as well as more advanced options for gathering detailed information about specific systems, including operating system detection. The presenter explains how to export scan results into an XML format for easier parsing and then convert that XML into a more user-friendly HTML report using an XSLT processor. Additionally, the video touches on customizing the HTML output with stylesheets for better readability and emphasizes that having a clear inventory is crucial for network security. Viewers are encouraged to explore further capabilities of Nmap and check out additional resources provided in the video description.
having an inventory of which devices are on the network and what services are running on those devices is an important part of network management and nmap has been a very popular open source tool for over 25 years to solve that problem while map has a very powerful command line output that is good for Integrations in the scripts what I want to show you today is how to make that output into a really nice HTML report the prerequisites for doing this are having a Linux system with nmap installed as well as having a command line XML parer that is available in most Linux distributions I'm using Debian for this demo the commands of using along with a custom stylesheet I will be applying will be available in the description below and hosted by sponsor of today's video plumera The Sim and xdr platform that simplifies security for it teams Plum turns complex security into a simple Swift and stress-free experience giving you the freedom to focus on what matters most I thank blumo for being a sponsor and let's get started on the [Music] video let's start with the basics I want to scan a single device on my network so I can type in end map and then the IP address of the device I want to scan and it will run a ping confirm that device response to that ping and then show us all of the ports that are available on there now if I wanted to do something a little bit more advanced or show all the inventory I can actually use a sl24 and it will scan the entire Subnet in nmap and this is good but takes a little bit longer and it'll dump it all out to the command line here so let's run this command and show you and it took 26 seconds to scan and now we have a whole list here of all those different devices on my network and which ports are open now you can also do commands in nmap to shorten this such as nmap DSN and then the range and this is just going to do a quick ping scan across all these and I just want to see which ones are are are responding so now it gives me a list and it tells me the host is up and the latency the return ping time essentially of each of those hosts another option when doing map is to set a range for example if we wanted to do IPS three through six we can simply run this command here and it's going to do 3 four five and six so we'll go ahead and run that and it gives you the results for each of these IPS and the ports are around there but let's go ahead and get a little bit more extended information and we're going to focus in on one system the 1721 16165 and for this command we're going to run sudu m-s capital V and a capital O and we're going to focus in on this IP address what this will do and why we have to run sudu is I want to run operating system detection which is the dash and then I want the extended information for each Port it finds open the version hopefully of the software that's running on those ports now what nmap has done here is tell us not only that open SSH is here on Port 22 but we can see which version it's running right here same thing with we know it's not just open port 80 with HTTP but it's running engine X we have our Samba version we also see that it's specifically engine X again on 443 we see Samba here on 445 now this is not always going to be 100% accurate but it's in interesting to see the extra extended information that you find by running that and it did identify this properly as a system that is running Linux now that's great for looking at an individual IP but if we were to run this and want an entire network inventory and we wanted to do the entire subnet here or even a series of subnets you would end up with a lot of data you can actually use TCT Tac ox and then give it a name Network inventory XML and this will generate an XML file out of the output so instead of having to parse to it through the command line or look through it through a basic text file it'll give it a more structured format by putting it in XML now while I do like the forting it gives it an XML and it's great for parsing this into other systems and importing it it's a little bit less human readable unless you're one of those humans that just prefers to look at things in XML let's go ahead and convert this XML to HTML and that's where this little tool comes in xslt PR this is just a processor that will take XML and output it into nicer clean HTML so we'll go ahead and make sure that's installed now let's take that XML file and output it to an HTML and this is where that tool comes in xslt P Taco the network inventory HTML you're actually telling it to Output to this format and then we have the network inventory XML that's actually our input file I know it may seem reversed but we're converting this XML file into an HTML file and without any options or stylesheets this is what it looks like it has the command at the top I ran to build this so there is the command that was run that built the file and here are all the results it doesn't look bad I'm not thrilled with the kind of green look or maybe it feels kind of retro and you like it you can stop here if this is fine but I think this is at least pretty human readable compared to looking at the XML or going through the command line and of course once it's in a browser it's easy to modify this put it into an archive a PDF or many of the spreadsheet programs will let you do things such as copy and paste this and build spreadsheets out to start making your inventory and maybe making a to-do list to figure out why so many ports are open on so many things now let's talk about stylesheets you can actually create custom stylesheets to apply to this parser I got a pretty basic one here it just gives a little bit more modern look and like I said maybe you like the Retro look but I wanted to make it look a little bit more modern and it's going to look for these values and then apply a specific CSS to them with this stylesheet so let's go ahead and close this and show you how to apply it now the command is pretty much the same we're going to use taco we're going to do Network inventory I'm going to add the word stylized to it for this HTML output then we're going to apply that stylesheet the nmap styleshe sheet. XSL and then we're going to give it the input file the network inventory XML so it's the same Source XML file we're just outputting it a little bit different by applying a stylesheet we still have the same command run so it's the same data the same XML file but I think this has a little bit more modern look and of course up to you you can customize this further maybe put your own information at the top of how you want this presented customize that CSS some more but I think this is just a little bit easier more human readable and we could still do the same thing if we were to copy and paste this this with land and many spreadsheet systems quite fine to start your to-do list and start inventorying everything and maybe building some projects or really clear documentation inventory for what you found on the network now this barely scratches the surface for the full breadth of what you can do with nmap nmap's a little bit more than just a scanner these days it actually has a lot of extended features including full vulnerability scanning and some V ility validation to see if something's been patched there's an entire ecosystem that you can really dive into with nmap maybe I'll do some more advanced videos later on it but the goal of this one was just to be able to get you a very human readable form of inventory so you can start understanding what's on your network and have a good grasp on that because inventory is the first step to getting things secure because you can't secure what you don't know about so check out that blog post down below there's actually a little bit more information that bloa has in that blog post including the commands I use and that stylesheet that I I mentioned so go ahead and check them out and we thank them again for sponsoring the video but let me know what you think leave your thoughts and comments down below head over to my forums forums. systems.com to have a more in-depth discussion about this and other topics like And subscribe to see more content from the channel check out nmap's site and check out the movie history I always get a kick out of that they keep a running list of movies where nmap has been used to show hacking which I always get a kick out of so go ahead and check that as well all right thanks [Music]