Nmap and Wireshark Part 2 - NM
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
7 hours 1 minute
so that we're getting dive into it a little bit more detail. So,
first, we'll d'oh
uh, filter with I p dot a DDR equals.
All right, So basically, what I'm doing with this filter is I'm showing all traffic
is coming from
or 21921 68 1.167
So that's great. But the problem is that I'm remote desktop into this machine. So it's going to show me,
as you can see here, some UDP traffic that I'm not really interested in
and to port
which I'm not interested in because the main point is to show you
what the end maps can looks like.
So I'm gonna add to this filter a little bit more will do.
So I've added where
I p addresses 1.167 and which requires to Amber Sands. I p dot protocol or high P proto is not equal to you, t p. Because I'm not interested in you tp traffic
All right, so down here at the bottom,
you can see that now it's only displaying 2500 and 24
packets, so that's good.
we've We've limited it on Lee to TCP traffic, as you could see under the Protocol column,
and it's on Lee Traffic related toe 1.167
And of course, it's gonna grab the
the target machine to which is 1.10.
All right, so now I wanna filter a little bit more and add,
As I said, we ran a default and maps can, which is a sin scan. So we'll do
as you learn. The last lesson about TCP flags
well filled her a little bit more doing a TCP
sin equals with two equal
signs and a one.
Okay, so now if you look at the bottom, it's displaying 1044
and this really has filtered it down to the stuff that we're most interested in.
You see, the source is
our scanning station. Destination
is the target host,
and in cases where the
target hosts responded,
um, you can see that
destination and the source of flipped.
So anyway, the main thing I want to show you here is if you click on
that raw packet
in the filter
and you go down here toe transmission control protocol TCP
You can see the sore sport destination port.
And if I scroll down a little bit further,
you see where the flags air set, and you can see right out here to the right. It shows a sin flag.
right here you see all of the flags that you can set in a TCP packet. And the sin flag is set
And that's pretty much all I want to show you in, in in that particular scan. And so now we're gonna
set up a different scan. I'll go ahead and close wire Shark. Actually,
I won't say the scan
Clear the screen.
And actually, I'm gonna go back to the target host and Fire boy or shark again
go and start the capture.
All right, so this scan were the last game we did a TCP SYN scan. This scan, we're gonna run a UDP scan, so I'll do it and map Dash s Capitol. You
dash p for the ports
and again, you don't have to remember all this stuff. I'm gonna show you a lot more detail about it later.
And these air, some just common ports that common UDP ports that are
generally open and available on a 2012 R to server, especially if their domain controller
and I'd be addresses one attitude at 1 68 That 1.10
All right, so well, that scan Well, it didn't take very long to complete, so we'll go back to our target host.
I'll stop the scan,
I'll stop the capture.
And so we'll do another display filter
again. We'll do a i p a D D e r
1 67 for the scanning station.
All right. Still capturing a lot of, um,
So add to that will do. Ah,
and I pee
This time we're going to switch it up and make it on Lee UDP traffic,
you can see that it's now only displaying 294 of those
And I'm gonna add to that
do a u t p.
So what I've done here is
UDP Destination Port does not equal 33 89 because 33 89 is the port
that RTP talks on her terminal service's or remote desktop or
windows. VD I whatever you wanna call it.
Okay, so that limited it. Ah, 186 packets. But you can see that it's still showing,
uh, the source port of 33 9 So we want to get rid of that too.
Sore sport does not equal 33 89.
And so that cleared out all of the the source and destination of
port 33 89
And so what we're left with here is
only 19 packets
and that is of our UDP scan
and you can see
the results of that. I'll go ahead and choose one of these.
You can double click on it to open it up if you want to.
And there's the scan
destination Port 1 38
In this case,
we see that there's a response toe port 1 38 U T P.
really, my main point was going to show you how to filter out
unnecessary UDP traffic,
especially in this case,
Windows remote desktop,
and show you the results of a UDP scan and then map.
All right, so
go ahead. And I'm actually gonna go and close wire shark again.
You actually you can clear out the results, But
just for continuity sake, I'll close it out.
All right, so we'll fire up wire shark again.
Well, that's starting.
I'll minimize the target host
on my end map scanning station. I'll clear the screen.
And so this is the last skin that I want to show you and maybe the most interesting.
And that is an map.
Well, first I got to make sure I started the capture. I didn't. Okay, so
fire up the capture again
with you and map Dash s X.
And that is a map
which sets the
the D, c B Finn, the TB push and urgent flags.
So and we'll do it against the target.
So that's done.
Open back of the target.
I'll stop the capture.
All right, so now we're gonna filter out
I'll show you what it looks like from a
protocol analyzer. Capture standpoint.
All right, So we'll start with the same
filter that we started with last time that his I p d a d d
equals 1 92 That 1 68 That one. That 167
which is the scanning station
that limited it down toe 24 84 packets.
Then we'll add
and t c p
dropped it down to 22 44 packets
we want to look at t c P
and TCP flags
He goes one
and T c p
All right, so now we're dropped down to 1000
you can see the source is
1.1 67 destination 1.10
and out here you can see that the fin push and urged flags are set in the TCP header
just click on one of them
and again down down here at the bottom,
I'll click on
transmission control protocol shows the source and destination ports,
and I'm gonna go down here to the flags
and you can see that the urgent is set.
The push is sent his set and the finish said,
and for now, that's really all I want to show you. The point is that
you saw how fast that happened.
You can see
how wire shark comes in really handy in evaluating,
uh, grabbing and evaluating packets as they're sent on the wire sent and received on the wire.
I really want to drive home what we talked about in the TSP i p section.
The previous lesson.
and Matt really does Kraft packets and put him on the wire against target hosts. And
if you're using a tool like wire shark, you can evaluate the results of those scans in great detail. This is just a primer
or primer if you're from the UK
I hope that you decide that wire shark is worthwhile
and you give it a shot and delve into much more detail than this. Thanks so much for watching this, and I look forward to seeing you in the next video.
In this lesson, we talked about what wire shark is and a little about its history and use. Next, we talked about why we, as I d professional, should use it.
Then we discussed why you should consider playing around with wire shark alongside and map,
and finally we did a lab on just that.
Thanks so much for going through this lesson with me and I'll see you again in the next one