NMAP

Course
Time
7 hours 1 minute
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:00
welcome to the lesson on the scan phases of N map.
00:04
Like most software and map executes its processes in a sequence, with one phase completing before the next begins.
00:11
This lesson walks you through each of those phases.
00:14
Some of you might think that this lesson may not have a lot of practical implications, but I hope to prove to you otherwise.
00:21
Knowing how and map works under the hood will definitely help you as you use it.
00:25
One last thing. This lesson doesn't include a lab, so if you're not in front of a computer that runs and map, you won't miss anything.
00:32
Let's get started.
00:34
Here are the learning objectives for this lesson.
00:37
First, we're gonna answer the question. Why should I care about and maps scan vases.
00:42
Then we'll go through each scan phase in the order in which they are executed and processed.
00:48
And finally, I'll talk to you a little bit about what you can do with this information.
00:54
So
00:55
why should you care about? And maps can phases.
00:58
Well, I would argue that understanding how any software works always helps. When using it,
01:03
they give a car, for example. While it's true that Most people can get a long way by driving a car without ever having to know anything about how it works. You have to admit
01:12
that having a basic understanding of how it starts, runs and stops could be very helpful.
01:18
This is especially true if the car begins operating outside of the norm.
01:23
If the tire pressure gets low, it's good to know how that may affect performance or what should be done to resolve it.
01:29
Or if it struggles to start or overheats. It might be really helpful to know some things you can try before taking it to a mechanic.
01:37
Similarly, if you understand how N map process is a scan, it may really help you when the results of your scan don't match what you expected.
01:46
Additionally, it helps when you're constructing an end. Maps can,
01:49
For example, it's really helpful to know that end map performs target in new Marais shin in port scanning before performing version detection or OS detection.
01:59
If you don't specify the right target or don't include the right TCP or UDP boards in your scan version, detection and OS detection will either be inaccurate or will simply not work
02:10
like our analogy. If your car doesn't start and you don't know how to read the gas gauge to determine the tank is bone dry, you might be left wondering why it didn't start.
02:22
Also understanding the scan phases really helps. While tuning the performance of an end, maps can.
02:28
When using n map in the real world, you will almost always want to know what you can do to minimize the amount of time and computing resource is required while still effectively producing the results you're aiming to achieve,
02:38
even though in map operates very efficiently, there are many times when you can optimize its performance by simply adding or taking away some extra command line switches.
02:49
For example, if you're examining an email server, you probably don't need toe. Let and map scan the default 1000 most common ports.
02:58
During your scan, you can limit and map to scanning less than 10 of the most common boards used by email servers.
03:05
This could improve the scan performance by more than 50% yet produced the exact same results
03:10
some of you may consider. A lot of this is purely an academic exercise, but I really hope that I've provided you with a strong argument about why it matters that you at least have some cursory knowledge of the end. Maps can phases.
03:23
You don't necessarily have to memorize them, but it would be handy to keep them in the back your mind or have a quick reference of them nearby.
03:31
All of the information in this lesson comes from the reference I've provided from the end map website as the last bullet point in this slide.
03:40
The main thing to understand when looking at the scan phases is that scans proceed phase by phase.
03:46
In other words, each phase completes before the next one begins,
03:51
and they're not iterative.
03:53
That means, for example, that end map will not do port scanning. Then do OS detection, then go back and do more port scanning.
04:00
So here they are in order.
04:02
After this quick review will dive into what happens at each phase in more detail.
04:09
Phase one is script. Bree Scanning
04:12
phase two is target enumeration.
04:14
Phase three, Host Discovery
04:16
Phase four reverse. D. N s Resolution
04:19
Phase five
04:21
sport scanning
04:23
face six. Version detection
04:26
face 70 s. Detection Face eight
04:30
tracer out
04:30
Phase nine. Script scanning
04:33
face 10
04:34
Output
04:35
in phase 11 script post scanning.
04:40
Now let's look at each phase one at a time.
04:43
Phase one script Re scanning
04:46
This phase on Lee occurs while running and map scripting engine or NSC scans,
04:50
which used the Dash Dash script or the Dash s Capital C switches.
04:57
Additionally, according to Theodore's book, this phase is for scripts, which only have to be run once Bren map execution rather than running separately against individual targets,
05:08
will cover NSC in detail later.
05:12
Phase two
05:14
Target in new Marais Shin.
05:15
This phase occurs with every scan
05:17
essentially, and map determines every host to scan based on the user's command line argument.
05:24
There are a lot of ways to tell and map what target to scan, and we'll go over those later.
05:28
Just note that passing and map I P addresses or a group of I P addresses will make the scan faster. The names because N map doesn't have to do name resolution.
05:39
Phase three Host Discovery, also known as paying scanning
05:44
this phase, discovers which targets are online and worth investigating. Further, it could be skipped, bypassing the dash capital P lower case end,
05:53
which is no ping option
05:56
this causes and map to assume all target I pease air online.
06:00
This can be helpful if your scans have little to do with ICMP echo responses.
06:04
For example, you may be doing AARP requests or TCP or UDP scans. If the target is blocking or filtering ICMP messages, host Discovery will be a waste of resource is so turning it off for some scans. Maybe better use of your time computing and network capacities,
06:24
according to the book Once and Map has determined which hosts to scan,
06:29
it looks up
06:30
the reverse D. N s names of all hosts found online by the Ping scan.
06:34
Sometimes ah, host name provides clues to its function,
06:38
and names make reports more readable than providing. On Lee I. P addresses
06:43
this step, maybe skipped with a dash end or no resolution option
06:48
or expanded to cover all target I. P's even down ones with a Dash Capital R, which is resolved all
06:59
phase five ports. Scanning
07:01
at its core and by reputation, port scanning is what and map does better than any other tool.
07:06
In fact, many people simply consider and map a port scanner.
07:12
I'm hoping that this course shows how simplistic this view is,
07:15
probes were sent and the responses or non responses air used to determine whether the target's ports are open, closed or filtered.
07:24
This phase, in an end map scan, is very important and performed by default in every and maps can. However, it can be skipped by using the dash S n Option
07:36
Phase six version detection
07:40
when ports are found open and map attempts to determine the server software that is running on the target.
07:45
It sends additional probes to open ports and attempts to match responses to an end map database that contains thousands of service signatures.
07:53
This phase can be enabled
07:55
on any scanned by using the Dash s Capital V command line switch
08:01
phase 70 s detection.
08:03
The operating system detection phase is optional and his run on several default and map scans.
08:09
Also, you can add the dash capital O option on any skin to attempt operating system detection.
08:16
Similar diversion detection and map examines the responses to various network probes and compares those responses to signatures and behaviors of known operating systems.
08:28
Then it provides you with a degree of likelihood that the responses match one or more of those known operating systems.
08:35
Phase eight trace route.
08:37
Some scans may make use of and maps advanced trace route capabilities.
08:43
You can force and map to perform a trace route by using the dash dash trace route option in the command line
08:50
and map will determine the route to the target. Then run reversed D. N s resolution on several intermediate hosts in parallel in order to speed up the trace
09:01
Phase nine script scanning.
09:03
This is where most of the NSC scripts run rather than the pre scan or posts can phase. As I mentioned before, NSC will be covered in detail later in this course. But for now, just know that this phase of the scanning process is where most of the NSC scripts perform their processing
09:20
phase 10 output
09:22
in most scans, this is the final phase
09:24
After N map. Does all of its processing collects all information it has gathered during scanning
09:31
it either rights the output to the screen or do a single or multiple files
09:35
from a network inventory, forensic investigation or reporting standpoint. This is where N map really proves its value.
09:43
The output can be pulled into many different programs, like word processors, spreadsheets, databases or even HTML files. With some processing,
09:52
this course will spend some time on dealing with output other than just on screen.
09:58
It's one thing to tell people that you have determined details about a target, but quite another to show them the results of your analysis.
10:05
Phase 11 script Post scanning
10:09
This phase is currently more of an idea than an actual phase. In other words, if you learn the loop programming language to write your own NSC scripts and choose to add additional results processing in order to deliver reports and statistics, this is the phase in and Matt Processing that this would occur. No official
10:28
and map NSC scripts currently do this,
10:30
but and map is evolving constantly, so it is likely that this will change.
10:35
So now that you've learned the end, maps can phases, what should you do with this information?
10:41
Like I said earlier, keep it as a reference and burning into the back of your mind. When you run and map scans, you may not get the results you want, or you may not get them quickly enough
10:52
knowing how in Matt processes a scan can really help to make the most of your resource is, and it can help you troubleshoot when things don't look quite right
11:01
becoming proficient in and map takes time and experimentation.
11:05
But you'll never become an expert without understanding how it works under the hood.
11:11
In this lesson, we discussed why you should care about the end. Maps can phases.
11:16
We then learned about each of them,
11:18
and finally we briefly discussed what you should do with this information.
11:22
Thanks so much for walking through the phases of in maps, cans with me, and I'll talk to you in the next lesson.

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor