Nmap and Wireshark Part 1 - NM

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

NMAP

Course

Time

7 hours 1 minute

Difficulty

Beginner

CEU/CPE

Video Transcription

00:00

Welcome to a lesson on using and map and wire shark together.

00:04

Like N map wire, shark is an amazing free network analysis tool. It's a full featured protocol analyzer with capabilities that extend far beyond the scope of this course. With that said, though, this lesson is intended to encourage you to install and or use wire shark during your end map scanning,

00:22

you'll be able to see how and map sends out its probes,

00:25

manipulates packet headers and generally crafts. T C V I. P packets.

00:30

Let's get started.

00:31

Here are the learning objectives for this lesson.

00:34

First, we'll talk about what wire shark is in a little about its history and use.

00:40

Next, we'll talk about why we, as I D professionals, should use it.

00:44

Then we'll discuss why you should consider playing around with wire shark alongside and map. And finally,

00:50

we'll do a lab on just that.

00:53

For most of you, learning about N map wire, shark is probably a tool with which you are very familiar. In the battle days of network analysis, packet sniffers were really expensive and hard to come by.

01:03

Wire shark, which was originally called ethereal, changed all that

01:07

officially wire Shark is a network protocol analyzer that lets you capture and interactively browse Traffic running on a computer network is free and open. Source.

01:19

The biggest thing I want to mention here is that wire shark is really amazing, but the way that T. C B I P works on a switch network can limit its effectiveness.

01:27

Specifically, just because you plays a protocol analyzer like wire shark on a network and tell it to listen to a network network traffic doesn't mean that all traffic will be seen in it.

01:40

In order for wire shark to capture all traffic on a network, it must be set toe listen promiscuously, and it must be running on a hub which repeats all traffic or a span or mirrored port on a switch.

01:53

If you're a network administrator, these air definitely things you could make happen if you choose, but you probably won't want to on a production network just for the sake of learning and map.

02:02

Just because this limitation exists, though, doesn't mean that wire shark is useless. Much to the contrary, are wire short captures in this lesson will be set up from the receiving end, will install wire shark on the target host, then run some scans than filter and evaluate the results.

02:20

So I use wire shark while there are 1,000,000 uses for wire shark, even on a switched Ethernet network,

02:25

this is true for both network administrators and information security professionals.

02:30

In most cases, wire shark is used for troubleshooting communication between a specific center and recipient.

02:37

I've personally used it a lot to troubleshoot VPN and remote connectivity issues. Voice over I P and sip issues and everyday switching and DCP issues

02:47

for info SEC professionals wire short can be an effective tool for investigation.

02:53

For example, if you have reason to believe that a host on your network has been compromised and want to gather evidence about the breach, you might set up a wire short capture to determine the source in nature of that breach.

03:05

This can help you figure out how to mitigate the threat and can provide you a solid network. Forensic evidence in case you need to bring in law enforcement and build a case,

03:15

using wire shark on any map, scanning station or on a target host can be very informative and educational gives you the opportunity to see how in map, crafts and sentence probes and how they're received.

03:28

Since the purpose of this course is to dig deeper into n map, I think that introducing you to wire sharks use within map is very fitting.

03:36

We've covered basics about T. C V I P

03:38

along with some of the details about TCP and UDP headers. In previous lessons.

03:44

Using wire shark within map will allow you to see what the TCP and UDP packets look like as they're crafted and placed on the wire.

03:53

Doing this is not only educational, but it also helps you gain a healthy respect for n maps, efficiency and speed.

04:00

Okay, so in the lab, we're gonna run through a couple of scans and look at the raw packets using wire shark. We haven't really covered scan techniques, though, so don't get caught up too much in the end. Map commands. I'll explain them as I run them, but just know that will go into them in much more detail later. The main point here

04:17

is just to encourage you to consider running wire shark on your scanning station

04:21

or on selected targets, so that you can see what end map is doing when you run scans

04:28

in this lab, we're going to run three and map scans first will run a default and map scan, which is a TCP Syn scan of 1000 ports.

04:36

Second will run a UDP scan of a couple of specific boards and finally will run an end map Ex Miss Scan, which sets the TCP Finn push and urgent flags.

04:48

I'll point out the difference between capture filters and display filters, and I'll give you some basic syntax for filtering in wire shark.

04:57

The last bullet point here is a link to a really, really good cheat sheet for filtering in wire shark. Let's do it.

05:06

All right, so welcome to the lab on running wire shark and then map together.

05:12

So let's just jump right in. So just to set the stage,

05:15

I'm sitting here on Windows 10

05:19

and maps scanning station

05:21

and the machine that I'm running wire shark on, which is the target host,

05:28

is Ah, Windows 2012 Server,

05:31

and I am remote desktop into it.

05:34

You could see that here at the bottom. I'll go ahead and pop that up.

05:39

So here's that machine.

05:41

So the map scanning stations I p address

05:46

05:48

1921681.167

05:51

And

05:54

the I P address of the target host is

06:03

1921681.10.

06:06

All right, I'll clear the screen.

06:11

06:12

really, I wanted to diagram this out, but since it's only two machines, I figure you can follow just fine. Um,

06:18

06:19

let's go ahead and open up the and map

06:23

target host

06:24

and I'll fire up wire shark.

06:31

And this machine is not extremely powerful, so it might take a little bit of time.

06:38

Open up.

06:43

All right, So

06:45

if you install wire shark on your machine, you might see more than just one adapter here. I just have one. It's called physical because this machine run some virtual machines also.

06:57

And, um,

06:59

the first thing I want to point out was that you see right here it says, capture using this filter. Well, everything that I show you from now on,

07:10

you can

07:11

type in your filtering commands here in the capture filter.

07:15

Or you can type in

07:18

commands up here for your display filter

07:23

Anything that you type here.

07:25

Once you run your wire shark capture

07:30

um,

07:31

if you enter it in your capture filter

07:33

basically, and map will only listen for those,

07:38

uh, those those filtered packets. So,

07:43

um and I'll show you in a second what the display filters look like The display filters, on the other hand, will capture everything. But

07:53

when you type in your display filter,

07:57

it will then filter

07:59

out of that list of everything, just the stuff that you want to see. So in this lab, we're gonna focus on display filters and not capture filters. And that's the main point that I wanted to make. Um, so the first thing that you want to d'oh

08:11

is select your network adapter

08:16

and

08:18

you want to

08:20

go up to capture,

08:22

then click on options.

08:26

And then the main thing that you want to make sure is checked is this promiscuous check box.