Target Specification Lab Part 1 - NM
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
7 hours 1 minute
welcome to the target specifications Lab.
I decided to break this off from the previous lesson because there's just so much to go through and getting your target right might be the most important thing about constructing an end map statement.
So bear with me because it is really all useful stuff.
Okay, let's move on to the lab
in this lab. We're gonna run through target specifications we discussed in a previous lesson. They combine them with new target specs. I've provided you in this lesson. Let's do it.
Welcome to the end. Map lab on target specifications.
Getting the target right is vital to any and maps can. So let's make sure we do it right.
All right, So I'm at the command prompt, and I'm going to start with a single I p address scan using And Matt
1 92.1 68 That one. That one.
So the target obviously isn't I p address.
And there you can see the results and some information about the device that sits on that I p
clear the screen.
And now we'll do a new one, and that is
so This is a M. EPPS can of multiple I'd be addresses noticed that they're separated by a space.
There's no common there,
so I enter.
And there you can see the results. Three hosts up, scanned in 12.77 seconds,
and I'll slowly scroll up so you could see the details.
See the ports, Mac addresses
and so forth.
All right, so I'll clear the screen.
Now do A
in AP Dash capital F. That's a fast scan, meaning that it scans the most popular 100 ports.
And I'm gonna do a range of I. P addresses, um, one through 50
so you don't have to type the entire I P address again. You could just put 1.1 through 50.
It's a lot I P addresses the skin, but it goes fast because I did the fast scan.
So could see there's 50 I p addresses.
Six of them are up, and it was scanned in 3.66
There's all the detail,
all right, I'll clear the screen again.
And now I just want to show you
that you can scan a single fully qualified domain name so we'll do an map. Scan me dot on that,
orig. We've done this 100 times already.
Oops. Actually typed it wrong.
And that scan me dot, dot or ge.
All right, so
there's the details on the map. Scam it on a map that Borg
fully qualified Domain name.
screen again. And now I want to show you kind of a combination of two of the scans that we just did. And that is the following.
All right, So basically, what I'm trying to show you here is that you can scan multiple hosts with a space in between them,
but they don't all have to be I p addresses. They could be I p addresses.
And I'd be the four format I b b six.
And you can pull it. Put a fully qualified domain name in there.
So hit. Enter.
All right. Took 12.15 seconds and all three hosts are up.
There's the details.
Lots of stuff open on one day. 10.
All right. And it was successful, so I'll clear the screen again.
Now we'll do. Ah ping sweep. This will be a pink sweep of the entire sub net insider notation. And what the pink sweep does is
it sends an I p echo request TCP syn to port for 43
a TCP act to port 80 and an ICMP timestamp request
The thing I like the most about it it
is that it scans Ah, huge range of I p addresses really fast. And it basically provides you with a list of only the I P addresses that
are up and running, so it gives you a list of live hosts.
So here's the command.
Most important part here is we're talking about target specifications. So it's just basically and map and then the 1 90 to 1 68 1.0 and then slashed 24. So the cider notation, but
because we're limited on time, I threw in the dash s end because it runs so fast.
There you can see the results took 4.93 seconds and out of 256 i p addresses that found 27 hosts and you could see that it provides the Mac address.
Tries to determine the manufacturer of the network are based on the Mac address, and it'll do a name resolution on each i p.
So it's a really cool scan,
and we'll do it more later when we get into a host discovery.
All right, clear the screen again.
Then I want to show you a similar scan, which is in map dash S n
So the main thing is the unmapped dot org's slash 29. And we've done this one before, too.
So it is
basically I'm trying to show you that you could do center notation with a domain name,
so it will find all of the I P addresses
in the slash 29 network adjacent to map dot or ge.
Uh, and I'm doing a pink sweep again because it's fast.
All right, there's the results, and you can see that there are five hosts adjacent to
that domain name.
So clear the screen again.
All right, Now we're gonna go into something a little bit. Knew so. Well, do, um I'm in. You can see him in program files and map directory.
I'm gonna create a directory
I'm gonna navigate to that folder.
Clear the screen
right now. I'm gonna basically create a file, and you'll see why in a second, um, I'm gonna do a note Pad.
Target list. That T X t.
Do you want to create a new file? Yes.
Here's the file.
All right. So what you can do is just list,
as many targets as you want to scan.
And I'll show you the command for running the scan against those targets in just a minute.
So we'll do.
I'll just pick some random ones. Will do.
I'll throw in. Ah, uh, host name,
I'll go ahead and do an outside
We'll just do it.
And let's just leave it at that
do a D I r Make sure it's there.
All right, So target list is there.
Clear the screen again.
All right, So the command to run a scan against all of those targets is like, this will do it and map, and you can just do it. Dash
capital l. And then the file. Since there's kind of a bunch of them there, I'm gonna do a ping sweep again, so we'll do it. Ascend,
and then a dash I Capitol Hill
the name of the file.
so basically, what it's gonna do is do a thing. Sweep
with all of the hosts that exist in this file name.
So hit. Enter.
There. You can see it. Scanned. 35 I p addresses
77 of them are up and scanned it in 1.5 seconds. So that was really fast. You see Google right there?
I don't feel too bad about doing a pink sweep of Google, cause it's really a very quiet scan. And,
you know, people
ping Google all the time just to make sure their network is working. And so a simple thing sweep is nothing compared to the traffic there used to, so