NMAP

Course
Time
7 hours 1 minute
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:00
so that we're getting dive into it a little bit more detail. So,
00:03
um,
00:04
first, we'll d'oh
00:06
uh, filter with I p dot a DDR equals.
00:16
All right, So basically, what I'm doing with this filter is I'm showing all traffic
00:22
that
00:24
is coming from
00:26
or 21921 68 1.167
00:32
So that's great. But the problem is that I'm remote desktop into this machine. So it's going to show me,
00:39
as you can see here, some UDP traffic that I'm not really interested in
00:43
and to port
00:46
33 89
00:48
which I'm not interested in because the main point is to show you
00:51
what the end maps can looks like.
00:54
So I'm gonna add to this filter a little bit more will do.
01:07
So I've added where
01:11
I p addresses 1.167 and which requires to Amber Sands. I p dot protocol or high P proto is not equal to you, t p. Because I'm not interested in you tp traffic
01:26
it enter.
01:26
All right, so down here at the bottom,
01:30
you can see that now it's only displaying 2500 and 24
01:37
packets, so that's good.
01:38
So
01:41
we've We've limited it on Lee to TCP traffic, as you could see under the Protocol column,
01:48
and it's on Lee Traffic related toe 1.167
01:53
And of course, it's gonna grab the
01:57
the target machine to which is 1.10.
02:01
All right, so now I wanna filter a little bit more and add,
02:07
As I said, we ran a default and maps can, which is a sin scan. So we'll do
02:13
as you learn. The last lesson about TCP flags
02:16
well filled her a little bit more doing a TCP
02:22
flags
02:24
sin equals with two equal
02:29
signs and a one.
02:31
Okay, so now if you look at the bottom, it's displaying 1044
02:38
packets essentially,
02:40
and this really has filtered it down to the stuff that we're most interested in.
02:46
You see, the source is
02:47
our scanning station. Destination
02:51
is the target host,
02:53
and in cases where the
02:58
target hosts responded,
03:00
um, you can see that
03:02
destination and the source of flipped.
03:06
So anyway, the main thing I want to show you here is if you click on
03:10
that raw packet
03:14
in the filter
03:15
and you go down here toe transmission control protocol TCP
03:21
You can see the sore sport destination port.
03:25
And if I scroll down a little bit further,
03:29
you see where the flags air set, and you can see right out here to the right. It shows a sin flag.
03:37
And
03:38
right here you see all of the flags that you can set in a TCP packet. And the sin flag is set
03:46
No. One.
03:52
And that's pretty much all I want to show you in, in in that particular scan. And so now we're gonna
03:58
set up a different scan. I'll go ahead and close wire Shark. Actually,
04:03
I won't say the scan
04:05
minimized the
04:09
target host.
04:11
Clear the screen.
04:15
And actually, I'm gonna go back to the target host and Fire boy or shark again
04:24
and
04:25
go and start the capture.
04:32
All right, so this scan were the last game we did a TCP SYN scan. This scan, we're gonna run a UDP scan, so I'll do it and map Dash s Capitol. You
04:43
dash p for the ports
04:46
and again, you don't have to remember all this stuff. I'm gonna show you a lot more detail about it later.
04:56
And these air, some just common ports that common UDP ports that are
05:01
generally open and available on a 2012 R to server, especially if their domain controller
05:11
and I'd be addresses one attitude at 1 68 That 1.10
05:18
All right, so well, that scan Well, it didn't take very long to complete, so we'll go back to our target host.
05:25
I'll stop the scan,
05:27
I'll stop the capture.
05:30
And so we'll do another display filter
05:34
again. We'll do a i p a D D e r
05:38
equals
05:43
1 67 for the scanning station.
05:47
All right. Still capturing a lot of, um,
05:51
remote desktop
05:55
packets.
05:57
So add to that will do. Ah,
06:00
and I pee
06:03
vertical hole.
06:05
This time we're going to switch it up and make it on Lee UDP traffic,
06:12
and
06:14
you can see that it's now only displaying 294 of those
06:17
packets.
06:24
And I'm gonna add to that
06:27
do a u t p.
06:36
So what I've done here is
06:39
UDP Destination Port does not equal 33 89 because 33 89 is the port
06:46
that RTP talks on her terminal service's or remote desktop or
06:54
windows. VD I whatever you wanna call it.
07:00
Okay, so that limited it. Ah, 186 packets. But you can see that it's still showing,
07:09
uh, the source port of 33 9 So we want to get rid of that too.
07:16
Soldier UDP
07:20
Sore sport does not equal 33 89.
07:27
And so that cleared out all of the the source and destination of
07:32
port 33 89
07:34
Ew, dp.
07:36
And so what we're left with here is
07:41
only 19 packets
07:45
and that is of our UDP scan
07:50
and you can see
07:54
the results of that. I'll go ahead and choose one of these.
07:59
You can double click on it to open it up if you want to.
08:03
And there's the scan
08:07
destination Port 1 38
08:09
In this case,
08:11
we see that there's a response toe port 1 38 U T P.
08:18
And so,
08:18
really, my main point was going to show you how to filter out
08:22
unnecessary UDP traffic,
08:26
especially in this case,
08:28
Windows remote desktop,
08:31
and show you the results of a UDP scan and then map.
08:37
All right, so
08:39
go ahead. And I'm actually gonna go and close wire shark again.
08:43
You actually you can clear out the results, But
08:48
just for continuity sake, I'll close it out.
08:50
All right, so we'll fire up wire shark again.
08:54
Well, that's starting.
08:56
I'll minimize the target host
08:58
on my end map scanning station. I'll clear the screen.
09:01
And so this is the last skin that I want to show you and maybe the most interesting.
09:07
And that is an map.
09:09
Well, first I got to make sure I started the capture. I didn't. Okay, so
09:16
fire up the capture again
09:20
with you and map Dash s X.
09:24
And that is a map
09:26
Xmas scan,
09:31
which sets the
09:33
push
09:35
the D, c B Finn, the TB push and urgent flags.
09:41
So and we'll do it against the target.
09:50
So that's done.
09:54
Open back of the target.
09:58
I'll stop the capture.
10:00
All right, so now we're gonna filter out
10:01
those results.
10:03
I'll show you what it looks like from a
10:09
protocol analyzer. Capture standpoint.
10:15
All right, So we'll start with the same
10:16
filter that we started with last time that his I p d a d d
10:22
are
10:22
equals 1 92 That 1 68 That one. That 167
10:28
which is the scanning station
10:31
that limited it down toe 24 84 packets.
10:41
Then we'll add
10:41
and
10:45
and t c p
10:50
protocol equals
10:52
her for
10:54
i p
10:56
I peed
10:58
Pro Dough
11:00
equals TCP
11:03
dropped it down to 22 44 packets
11:07
and
11:09
we want to look at t c P
11:13
Flags
11:16
got thin
11:18
equals one
11:20
and TCP flags
11:24
push
11:26
He goes one
11:28
and T c p
11:30
flies
11:31
urgent
11:33
equals one.
11:35
All right, so now we're dropped down to 1000
11:41
packets
11:41
and
11:43
you can see the source is
11:46
1.1 67 destination 1.10
11:50
and out here you can see that the fin push and urged flags are set in the TCP header
11:58
and
11:58
just click on one of them
12:01
and again down down here at the bottom,
12:05
I'll click on
12:07
transmission control protocol shows the source and destination ports,
12:13
and I'm gonna go down here to the flags
12:16
and you can see that the urgent is set.
12:20
The push is sent his set and the finish said,
12:26
and for now, that's really all I want to show you. The point is that
12:33
you saw how fast that happened.
12:35
You can see
12:37
how wire shark comes in really handy in evaluating,
12:41
uh, grabbing and evaluating packets as they're sent on the wire sent and received on the wire.
12:48
And
12:50
I really want to drive home what we talked about in the TSP i p section.
12:56
The previous lesson.
12:58
That
13:01
and Matt really does Kraft packets and put him on the wire against target hosts. And
13:07
if you're using a tool like wire shark, you can evaluate the results of those scans in great detail. This is just a primer
13:16
or primer if you're from the UK
13:20
and so
13:22
I hope that you decide that wire shark is worthwhile
13:26
and you give it a shot and delve into much more detail than this. Thanks so much for watching this, and I look forward to seeing you in the next video.
13:37
In this lesson, we talked about what wire shark is and a little about its history and use. Next, we talked about why we, as I d professional, should use it.
13:46
Then we discussed why you should consider playing around with wire shark alongside and map,
13:52
and finally we did a lab on just that.
13:54
Thanks so much for going through this lesson with me and I'll see you again in the next one

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor