Nmap and Wireshark Part 2 - NM

00:00

so that we're getting dive into it a little bit more detail. So,

00:03

um,

00:04

first, we'll d'oh

00:06

uh, filter with I p dot a DDR equals.

00:16

All right, So basically, what I'm doing with this filter is I'm showing all traffic

00:22

that

00:24

is coming from

00:26

or 21921 68 1.167

00:32

So that's great. But the problem is that I'm remote desktop into this machine. So it's going to show me,

00:39

as you can see here, some UDP traffic that I'm not really interested in

00:43

and to port

00:46

33 89

00:48

which I'm not interested in because the main point is to show you

00:51

what the end maps can looks like.

00:54

So I'm gonna add to this filter a little bit more will do.

01:07

So I've added where

01:11

I p addresses 1.167 and which requires to Amber Sands. I p dot protocol or high P proto is not equal to you, t p. Because I'm not interested in you tp traffic

01:26

it enter.

01:26

All right, so down here at the bottom,

01:30

you can see that now it's only displaying 2500 and 24

01:37

packets, so that's good.

01:38

So

01:41

we've We've limited it on Lee to TCP traffic, as you could see under the Protocol column,

01:48

and it's on Lee Traffic related toe 1.167

01:53

And of course, it's gonna grab the

01:57

the target machine to which is 1.10.

02:01

All right, so now I wanna filter a little bit more and add,

02:07

As I said, we ran a default and maps can, which is a sin scan. So we'll do

02:13

as you learn. The last lesson about TCP flags

02:16

well filled her a little bit more doing a TCP

02:22

flags

02:24

sin equals with two equal

02:29

signs and a one.

02:31

Okay, so now if you look at the bottom, it's displaying 1044

02:38

packets essentially,

02:40

and this really has filtered it down to the stuff that we're most interested in.

02:46

You see, the source is

02:47

our scanning station. Destination

02:51

is the target host,

02:53

and in cases where the

02:58

target hosts responded,

03:00

um, you can see that

03:02

destination and the source of flipped.

03:06

So anyway, the main thing I want to show you here is if you click on

03:10

that raw packet

03:14

in the filter

03:15

and you go down here toe transmission control protocol TCP

03:21

You can see the sore sport destination port.

03:25

And if I scroll down a little bit further,

03:29

you see where the flags air set, and you can see right out here to the right. It shows a sin flag.

03:37

And

03:38

right here you see all of the flags that you can set in a TCP packet. And the sin flag is set

03:46

No. One.

03:52

And that's pretty much all I want to show you in, in in that particular scan. And so now we're gonna

03:58

set up a different scan. I'll go ahead and close wire Shark. Actually,

04:03

I won't say the scan

04:05

minimized the

04:09

target host.

04:11

Clear the screen.

04:15

And actually, I'm gonna go back to the target host and Fire boy or shark again

04:24

and

04:25

go and start the capture.

04:32

All right, so this scan were the last game we did a TCP SYN scan. This scan, we're gonna run a UDP scan, so I'll do it and map Dash s Capitol. You

04:43

dash p for the ports

04:46

and again, you don't have to remember all this stuff. I'm gonna show you a lot more detail about it later.

04:56

And these air, some just common ports that common UDP ports that are

05:01

generally open and available on a 2012 R to server, especially if their domain controller

05:11

and I'd be addresses one attitude at 1 68 That 1.10

05:18

All right, so well, that scan Well, it didn't take very long to complete, so we'll go back to our target host.

05:25

I'll stop the scan,

05:27

I'll stop the capture.

05:30

And so we'll do another display filter

05:34

again. We'll do a i p a D D e r

05:38

equals

05:43

1 67 for the scanning station.

05:47

All right. Still capturing a lot of, um,

05:51

remote desktop

05:55

packets.

05:57

So add to that will do. Ah,

06:00

and I pee

06:03

vertical hole.

06:05

This time we're going to switch it up and make it on Lee UDP traffic,

06:12

and

06:14

you can see that it's now only displaying 294 of those

06:17

packets.

06:24

And I'm gonna add to that

06:27

do a u t p.

06:36

So what I've done here is

06:39

UDP Destination Port does not equal 33 89 because 33 89 is the port

06:46

that RTP talks on her terminal service's or remote desktop or

06:54

windows. VD I whatever you wanna call it.

07:00

Okay, so that limited it. Ah, 186 packets. But you can see that it's still showing,

07:09

uh, the source port of 33 9 So we want to get rid of that too.

07:16

Soldier UDP

07:20

Sore sport does not equal 33 89.

07:27

And so that cleared out all of the the source and destination of

07:32

port 33 89

07:34

Ew, dp.

07:36

And so what we're left with here is

07:41

only 19 packets

07:45

and that is of our UDP scan

07:50

and you can see

07:54

the results of that. I'll go ahead and choose one of these.

07:59

You can double click on it to open it up if you want to.

08:03

And there's the scan

08:07

destination Port 1 38

08:09

In this case,

08:11

we see that there's a response toe port 1 38 U T P.

08:18

And so,

08:18

really, my main point was going to show you how to filter out

08:22

unnecessary UDP traffic,

08:26

especially in this case,

08:28

Windows remote desktop,

08:31

and show you the results of a UDP scan and then map.

08:37

All right, so

08:39

go ahead. And I'm actually gonna go and close wire shark again.

08:43

You actually you can clear out the results, But

08:48

just for continuity sake, I'll close it out.

08:50

All right, so we'll fire up wire shark again.

08:54

Well, that's starting.

08:56

I'll minimize the target host

08:58

on my end map scanning station. I'll clear the screen.

09:01

And so this is the last skin that I want to show you and maybe the most interesting.

09:07

And that is an map.

09:09

Well, first I got to make sure I started the capture. I didn't. Okay, so

09:16

fire up the capture again

09:20

with you and map Dash s X.

09:24

And that is a map

09:26

Xmas scan,

09:31

which sets the

09:33

push

09:35

the D, c B Finn, the TB push and urgent flags.

09:41

So and we'll do it against the target.

09:50

So that's done.

09:54

Open back of the target.

09:58

I'll stop the capture.

10:00

All right, so now we're gonna filter out

10:01

those results.

10:03

I'll show you what it looks like from a

10:09

protocol analyzer. Capture standpoint.

10:15

All right, So we'll start with the same

10:16

filter that we started with last time that his I p d a d d

10:22

are

10:22

equals 1 92 That 1 68 That one. That 167

10:28

which is the scanning station

10:31

that limited it down toe 24 84 packets.

10:41

Then we'll add

10:41

and

10:45

and t c p

10:50

protocol equals

10:52

her for

10:54

i p

10:56

I peed

10:58

Pro Dough

11:00

equals TCP

11:03

dropped it down to 22 44 packets

11:07

and

11:09

we want to look at t c P

11:13

Flags

11:16

got thin

11:18

equals one

11:20

and TCP flags

11:24

push

11:26

He goes one

11:28

and T c p

11:30

flies

11:31

urgent

11:33

equals one.

11:35

All right, so now we're dropped down to 1000

11:41

packets

11:41

and

11:43

you can see the source is

11:46

1.1 67 destination 1.10

11:50

and out here you can see that the fin push and urged flags are set in the TCP header

11:58

and

11:58

just click on one of them

12:01

and again down down here at the bottom,

12:05

I'll click on

12:07

transmission control protocol shows the source and destination ports,

12:13

and I'm gonna go down here to the flags

12:16

and you can see that the urgent is set.

12:20

The push is sent his set and the finish said,

12:26

and for now, that's really all I want to show you. The point is that

12:33

you saw how fast that happened.

12:35

You can see

12:37

how wire shark comes in really handy in evaluating,

12:41

uh, grabbing and evaluating packets as they're sent on the wire sent and received on the wire.

12:48

And

12:50

I really want to drive home what we talked about in the TSP i p section.

12:56

The previous lesson.

12:58

That

13:01

and Matt really does Kraft packets and put him on the wire against target hosts. And

13:07

if you're using a tool like wire shark, you can evaluate the results of those scans in great detail. This is just a primer

13:16

or primer if you're from the UK

13:20

and so

13:22

I hope that you decide that wire shark is worthwhile

13:26

and you give it a shot and delve into much more detail than this. Thanks so much for watching this, and I look forward to seeing you in the next video.

13:37

In this lesson, we talked about what wire shark is and a little about its history and use. Next, we talked about why we, as I d professional, should use it.

13:46

Then we discussed why you should consider playing around with wire shark alongside and map,

13:52

and finally we did a lab on just that.