NMAP

Course
Time
6 hours 31 minutes
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:01
Welcome to the end map lesson on I, P, T, C, P, U, T P and ICMP headers. This lesson is simply a brief overview of the most important TCP I be protocols you need to understand when composing and map scans. My main objective will be to help you to understand the difference between
00:19
their headers and what important features about age you need to grasp
00:23
if you walk away from it with an understanding of the TCP three way handshake, encapsulation source and destination addresses in ports, flags and ICMP types and codes. I've done my job.
00:36
I'll also provide you with some good reference videos in case you want to dive deeper.
00:41
Let's get started
00:43
in this lesson. We'll talk about two important concepts in T C P I p encapsulation in the TCP three way handshake.
00:51
Well, then go on to discuss TCP and examine its header.
00:55
Then we'll talk about UDP and it's header.
00:58
Next, we'll take a look at the I P header
01:00
and we'll finish up with the discussion on ICMP and it's header
01:04
in each of these slides. I'll provide you with some additional reference material and we'll try to focus on why and how this information is relevant to using n map.
01:14
The more you understand this stuff, the better you will be in constructing great and map scans.
01:21
Let's talk about two important concepts in normal. T c P I p. Communication.
01:26
Some of you may be asking why encapsulation and the TCP three way handshake are on the same slide.
01:32
Well, I have no good explanation, except for the fact that these two concepts are high level mechanisms that must be understood to conceptualize what is happening when n map scans are executed.
01:42
But the fact is, encapsulation and the TCP three way handshake are not necessarily related, other than they're both part of the traditional T. C V I. P. Stack.
01:53
And both fundamental
01:56
encapsulation is the process of adding headers and trailers to data.
02:00
Many people talk about it in terms of rappers, as in candy wrappers, not like Jay Z or Eminem.
02:06
The idea is that lower layers tack on headers and in some case, trailers toe higher layer packets in such a way that they're wrapped in them.
02:15
The picture in this slide shows the two most important OS I or T C B. I p model layers on the left as faras end map is concerned, the transport and the network layers
02:27
and on the right it shows which protocols exist in those layers as well as what data grams air called in each layer.
02:34
So what? The transport layer, therefore of the O S. I model a data. Graham is called a segment
02:39
and can either be TCP or UDP
02:43
at the network layer or layer three a data. Graham is called a packet.
02:47
I wanted to start with this because we're going to do further analysis of ways that end. Map uses each of these layers as it generates its scans by manipulating those headers.
02:58
The second concept here is the TCP three way handshake.
03:01
Some of you may be wondering why there is no UDP handshake on this slide.
03:06
The reason is that there is no such thing
03:08
as we discussed in the previous lesson. UDP does not provide connection oriented, take a reliable and to end communication.
03:16
It only provides best effort or connection. Lis communication between house.
03:21
The TCP three way handshake, on the other hand, is what makes connection oriented communication possible.
03:28
As the picture shows user A's computer initiates communication with server. Be with a sin flag set in the TCP segment
03:36
server. Be responds with both sin and act like flag set,
03:42
then user A's computer responds with an AK.
03:45
The connection is established and communication continues.
03:49
This is an important concept, and Matt, because N. Map and its users, such as you can generate scans that manipulate the TCP flags in different ways in order to solicit various responses so you can critically evaluate the results.
04:02
This capability is built into N map as a part of its packet Crafter called in Ping.
04:08
If you want to learn more about encapsulation and the TCP three way handshake, I've provided some links to some good videos.
04:16
Let's talk about two important concepts in normal T c B i B communication.
04:21
So on the right, I put a graphic that lays out the TSP header for you.
04:27
TCP is a transport layer layer for protocol that offers reliable connection or any communication and has passed down and encapsulated by I p
04:34
from n mouse perspective, the most important things you need to understand about the header is it sore sport,
04:41
the destination port and the TCBY flags
04:44
other things could be altered with and map through n paying. But these are the ones you'll spend most of your time working with an N map
04:50
in a regular and map scan. The sore sport is ephemeral, meaning you're scanning Station will automatically determine
04:58
the port. It opens for communication
05:00
and will be an upper level in non well known port. In other words, higher than 1024.
05:08
However, the destination port will either be defined by you and your scan statement or will be chosen by N map.
05:15
A regular and map scan, for instance, will scan 1000 popular ports, and a fast and map scan will scan 100 of the most popular.
05:25
A fast scan is built by using the Dash Capital F command line switch,
05:30
or you can literally specify exactly the ports you want to scan. I'll show you this later.
05:35
Another great feature of N map is that you don't have to build a full TCP connection a k a three way handshake when running a scan. In fact, by default and map generates a TCP syn scan against targets by setting the sin flag
05:49
but
05:50
not responding with a Cenac. This is because the response to sin scans are just as reliable as full connects scans, but are quieter and more polite
06:01
and map
06:02
Dash
06:03
s capital s initiates a sin scan
06:08
and map. Dash s Capitol A initiates an axe can and and map
06:14
dash s capital t initiates a full connects Cannes.
06:17
Other important TCB flags to note are you for urgent
06:21
P for push bar for reset
06:25
and F for finish?
06:27
You can also initiate a so called Christmas Tree scan or Xmas scan
06:32
with a dash s uppercase X,
06:36
which sets all the TCBY flags
06:40
and in doing so, lights up the TCP segment like a Christmas tree.
06:44
Sometimes the responses to this type of scanning could be valuable, but they're definitely not quiet.
06:50
Some of the same things that applied to TCP also apply to you. T p
06:55
UDP itself is much simpler with less overhead than TCP. Though
06:59
the most important component of the UDP header is a destination port
07:03
with the ephemeral sore sport being supplied by your computer.
07:06
It's really important to be familiar with constructing UDP scans though an end map, because some really important service is use UDP for communication.
07:15
For example, the N S uses UDP Port 53 TP uses port 1 23
07:21
Net Bios uses port 1 37 and l'd APP uses 3 89
07:28
To initiate a UDP scan,
07:30
use an end map. Dash s Capitol. You followed by the poor to on a scan with the dash P switch. I'll show you some examples of this later.
07:40
The I P V four header is tacked onto the TCP or you d be header through the process of encapsulation
07:46
I p is connection. Listen, operates at layer three or the network layer.
07:51
You'll notice that I have
07:54
version circled in the graphic to the right.
07:56
The only reason why I've circled it is because I don't want you to get confused in i p v four communication. This value will always before. However, that doesn't mean that it changes to six If it is i p v six communication.
08:11
In fact, I P v six has an entirely different header.
08:15
Beyond that, you don't have to concern yourself with the version field.
08:18
The protocol field defines the protocol that is used in the creation of the packet
08:22
for the most part in and map. This will either be TCP or Protocol six
08:28
UDP or Protocol 17 or ICMP or Protocol one.
08:33
The source address will usually be your I P address, though this can be altered
08:39
and the destination address is the address of your target
08:43
and map.
08:45
Dash s Capital O allows you to determine which I p protocols. Air supported by Target Machine's
08:52
by default and map, will scan all 256 possible protocol values and provide you with the results.
08:58
As with the other slides in this module, I've provided you with a video on a deeper look into the I P header. Should you wish to learn more?
09:07
The Internet control message protocol is used all around the world by network analysts to determine if packets are routing successfully
09:16
if hosts are up and running. And for simple Leighton see analysis.
09:20
This is done using the ping or trace route command in your favorite operating system.
09:26
Hi. CMP is really a supporting protocol Enact similar to Layer four protocols but really exists in Layer three. Technically,
09:35
as you'll notice in the graphic, though, ICMP must be attached to I P because it has no address field it's better.
09:41
The two most important fields in the I C M P header are type and coat.
09:46
If you look at the graphic, you'll notice many familiar responses, with most of them being type 038 or 11
09:54
like destination host unreachable and T T L exceeded.
09:58
The biggest thing I want to point out is the fact that when you read about PING scans and end map, do not assume that this means ICMP is being used. In fact,
10:07
ICMP is really on Lee used as a helper utility. Charge it to traditional TCP and UDP scans in and map.
10:15
In fact, in order to initiate a nice CMP scan, you have to run and map
10:20
Dash S N Dash Capital, P Capital E
10:24
and map can be can use ICMP and novel ways, though. For instance, you can construct small ICMP packets that solicit responses from entire networks very quickly and then map.
10:37
This is much more effective than simply running a pink. A man wanted a time to every device on a network.
10:43
However, I think you'll see that using TCP and UDP scans are much more effective
10:48
and allowing and map to use ICMP as a helper is usually the best bet
10:54
in this lesson. We discussed too important concepts in T C V I P
10:58
encapsulation and the TCP three way handshake.
11:03
We then discuss TCP and examine it center.
11:07
Then we talked about UDP and it's header.
11:09
Next we took a look at the I P header
11:11
and we finished up with the discussion on ICMP and it's header.
11:16
I hope you found this information very helpful.
11:20
Thank you so much for working through it with me and I'll talk to you more in the next lesson.

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor