NMAP

Course
Time
6 hours 31 minutes
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:01
welcome to the target specifications Lab.
00:03
I decided to break this off from the previous lesson because there's just so much to go through and getting your target right might be the most important thing about constructing an end map statement.
00:13
So bear with me because it is really all useful stuff.
00:17
Okay, let's move on to the lab
00:19
in this lab. We're gonna run through target specifications we discussed in a previous lesson. They combine them with new target specs. I've provided you in this lesson. Let's do it.
00:30
Welcome to the end. Map lab on target specifications.
00:33
Getting the target right is vital to any and maps can. So let's make sure we do it right.
00:40
All right, So I'm at the command prompt, and I'm going to start with a single I p address scan using And Matt
00:49
1 92.1 68 That one. That one.
00:55
So the target obviously isn't I p address.
00:58
And there you can see the results and some information about the device that sits on that I p
01:03
So
01:04
clear the screen.
01:07
And now we'll do a new one, and that is
01:19
so This is a M. EPPS can of multiple I'd be addresses noticed that they're separated by a space.
01:26
There's no common there,
01:27
so I enter.
01:42
And there you can see the results. Three hosts up, scanned in 12.77 seconds,
01:49
and I'll slowly scroll up so you could see the details.
01:53
See the ports, Mac addresses
01:57
and so forth.
02:00
All right, so I'll clear the screen.
02:04
Now do A
02:06
in AP Dash capital F. That's a fast scan, meaning that it scans the most popular 100 ports.
02:22
And I'm gonna do a range of I. P addresses, um, one through 50
02:28
so you don't have to type the entire I P address again. You could just put 1.1 through 50.
02:38
It's a lot I P addresses the skin, but it goes fast because I did the fast scan.
02:44
So could see there's 50 I p addresses.
02:47
Six of them are up, and it was scanned in 3.66
02:51
3.67 seconds.
02:54
There's all the detail,
03:00
all right, I'll clear the screen again.
03:05
And now I just want to show you
03:07
that you can scan a single fully qualified domain name so we'll do an map. Scan me dot on that,
03:15
orig. We've done this 100 times already.
03:20
Oops. Actually typed it wrong.
03:22
And that scan me dot, dot or ge.
03:35
All right, so
03:36
there's the details on the map. Scam it on a map that Borg
03:42
fully qualified Domain name.
03:45
All right,
03:46
screen again. And now I want to show you kind of a combination of two of the scans that we just did. And that is the following.
04:04
All right, So basically, what I'm trying to show you here is that you can scan multiple hosts with a space in between them,
04:13
but they don't all have to be I p addresses. They could be I p addresses.
04:17
And I'd be the four format I b b six.
04:20
And you can pull it. Put a fully qualified domain name in there.
04:25
So hit. Enter.
04:41
All right. Took 12.15 seconds and all three hosts are up.
04:46
There's the details.
04:48
Lots of stuff open on one day. 10.
04:54
All right. And it was successful, so I'll clear the screen again.
05:00
Now we'll do. Ah ping sweep. This will be a pink sweep of the entire sub net insider notation. And what the pink sweep does is
05:09
it sends an I p echo request TCP syn to port for 43
05:15
a TCP act to port 80 and an ICMP timestamp request
05:19
The thing I like the most about it it
05:21
is that it scans Ah, huge range of I p addresses really fast. And it basically provides you with a list of only the I P addresses that
05:30
are up and running, so it gives you a list of live hosts.
05:34
So here's the command.
05:42
Most important part here is we're talking about target specifications. So it's just basically and map and then the 1 90 to 1 68 1.0 and then slashed 24. So the cider notation, but
05:54
because we're limited on time, I threw in the dash s end because it runs so fast.
06:06
There you can see the results took 4.93 seconds and out of 256 i p addresses that found 27 hosts and you could see that it provides the Mac address.
06:17
Tries to determine the manufacturer of the network are based on the Mac address, and it'll do a name resolution on each i p.
06:28
So it's a really cool scan,
06:30
and we'll do it more later when we get into a host discovery.
06:35
All right, clear the screen again.
06:43
Then I want to show you a similar scan, which is in map dash S n
06:48
or GE.
06:50
So the main thing is the unmapped dot org's slash 29. And we've done this one before, too.
06:56
Uh,
06:56
So it is
06:59
basically I'm trying to show you that you could do center notation with a domain name,
07:02
so it will find all of the I P addresses
07:05
in the slash 29 network adjacent to map dot or ge.
07:12
Uh, and I'm doing a pink sweep again because it's fast.
07:21
All right, there's the results, and you can see that there are five hosts adjacent to
07:27
that domain name.
07:29
So clear the screen again.
07:35
All right, Now we're gonna go into something a little bit. Knew so. Well, do, um I'm in. You can see him in program files and map directory.
07:45
I'm gonna create a directory
07:47
called Targets.
07:53
I'm gonna navigate to that folder.
07:58
Clear the screen
08:00
right now. I'm gonna basically create a file, and you'll see why in a second, um, I'm gonna do a note Pad.
08:07
Target list. That T X t.
08:11
Okay.
08:16
Do you want to create a new file? Yes.
08:22
Here's the file.
08:24
All right. So what you can do is just list,
08:28
uh,
08:28
as many targets as you want to scan.
08:31
And I'll show you the command for running the scan against those targets in just a minute.
08:35
So we'll do.
08:37
I'll just pick some random ones. Will do.
08:52
I'll throw in. Ah, uh, host name,
09:00
and
09:01
I'll go ahead and do an outside
09:05
domain name.
09:07
We'll just do it.
09:09
Google.
09:11
And let's just leave it at that
09:16
file. Save
09:20
clothes,
09:20
do a D I r Make sure it's there.
09:24
All right, So target list is there.
09:28
Clear the screen again.
09:31
All right, So the command to run a scan against all of those targets is like, this will do it and map, and you can just do it. Dash
09:39
I
09:39
capital l. And then the file. Since there's kind of a bunch of them there, I'm gonna do a ping sweep again, so we'll do it. Ascend,
09:46
and then a dash I Capitol Hill
09:50
and then
09:50
the name of the file.
09:56
All right,
09:56
so basically, what it's gonna do is do a thing. Sweep
10:01
with all of the hosts that exist in this file name.
10:07
So hit. Enter.
10:13
There. You can see it. Scanned. 35 I p addresses
10:18
77 of them are up and scanned it in 1.5 seconds. So that was really fast. You see Google right there?
10:26
I don't feel too bad about doing a pink sweep of Google, cause it's really a very quiet scan. And,
10:33
you know, people
10:37
ping Google all the time just to make sure their network is working. And so a simple thing sweep is nothing compared to the traffic there used to, so
10:46
d'oh!
10:46
Clear screen.

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor