welcome to then map lesson on scan techniques.
Knowing the difference can techniques is almost as fundamental as understanding target specifications and then mount
in this lesson. I'll walk you through almost all of the available techniques as well as how and when they're used. Let's get started.
Here are the learning objectives for this lesson.
First, we'll talk about what a scan technique is
and where different scan types should be placed in an unmapped statement.
Next, I'll walk you through the most popular scan techniques, and finally, we'll discuss some more advanced scan techniques and some that are rarely used.
Nn map. A scan technique is basically the way we tell and map the protocols that should scan. There are many options available, but this typically means which protocol to use, such as TCP UDP or I P
and map also provides user with the ability to tell and map how to craft packets such that specific options and flags or set in order to investigate the target's response
and map will output details on whether interrogated ports are open, closed or filtered,
or, in the case of an I P scan and map will tell us what I p protocols are supported by the target
We talked about General TCP I be topics in previous lessons and dug a little deeper into T C, P, U T P, I, P and I see and be headers. But if you want, you can really dig into the details on normal T c B I B communications by reading
the i e t f r F sees on TCP and the T's P I. P Protocol. Sweet
DCP is defined in RFC 7 93 and T. C V I. P is explained in RFC 11 80
one. Really great feature of N map is that it does all the heavy lifting for us as faras crafting packets and analyzing the results. So we is user simply have to tell it what to dio, then read and interpret the output.
So, in a typical and map statement, where should the scan technique be placed?
I think the best place to put the scan technique is at the very beginning of the scan statement. Right before your port number designation,
we'll cover the details of port scanning in a later lesson.
The reason I like to do this is because the rest of your skin statement usually depends heavily upon which protocols you chose to interrogate.
I put a simple example on this slide.
Do you have to use a scan technique?
Well, for the most part, the answer is that if you don't specify a scan, technique and map will use its default scan type, which is great.
And it's a TCP syn or half open scan.
So, no, you don't have to specify a scan technique, but if you don't, one will be selected for you.
However, I would say that the TCP Syn scan is the most popular and successful in many cases.
If you want to read more detail about all the scan techniques I'm providing in this lesson, see the reference at the bottom of this slide.
So when you're examining or creating an in maps can statement, the scan technique is defined by the capital letter next to the dash s.
The only exception to this is the FDP Bounce scan, which I'll discuss a little bit on the next slide.
As I just mentioned, an end map. Dash s Capital s is a TCP syn scan otherwise known as 1/2 open scan
If no scan technique is specified in your scan, this is what we'll run by default.
I should also mention that if specific ports are not identified in your scan
and Mapple, scan 1000 most popular boards and used by modern systems.
As I've shown you before, you can limit this to 100 by adding the dash capital F option to your scan.
The sin scan is quick, unobtrusive and stealthy, and most importantly, it is effective because setting the sin flag and TCP is always the first step in normal TCP communication.
If in map perceives a sin AC in response,
the board is open or listening.
If N map receives in RST or ICMP unreachable, it is considered closed,
and if no response is received after several retransmissions is considered filtered,
an end map. Dash S Capital T is a TCP connects Cannes,
in other words, and map will complete the TCP three way handshake.
The scan technique is used by N map
by default on Lee. When the user does not have raw packet privileges, it is slower, a little more intrusive and could be logged in flagged by an I. D. S.
That's why it is a good idea to run and map is a privilege user or as an administrator. And Windows,
because of sin scan, is almost always a better choice.
And map Dash s Capitol You Izzy UDP scan. Even though most service is on the Internet run over DCP, there are still a lot of really important ones that use UDP.
Examples include de ns 4 53
d. H. C. P. Clients 68
Do you see P Servers 67
T F T P 69 V O I. P or VoIP,
and CeCe log at 5 14 just to name a few of the most popular and easiest to exploit.
One really common thing to do in an end map scan is to combine a UDP scan with a seance can by using
Dash s Capitol, You and Dash s Capital s
The last popular scan technique of place on this slide is in map
which is an I P protocol scan.
If you remember from our lesson on I P headers, this type of scan will cycle through each of the protocol fields responses to determine which protocols air supported by the target.
This is a great scandal. Run first before you delve into deeper scanning.
It isn't a port scan but will still allow you to use the DASH P option, which will be discussed in a later lesson.
You can use this to specify which protocol numbers to interrogate.
I'll go through these a little faster.
One thing I want to say up front is that some of these air advanced, and some of them are simply rarely used. An ineffective.
The best thing to do is think carefully about what the scan techniques are doing it layer for and choose them based on what you're trying to accomplish.
For the most part, the ones at the bottom are still widely used for firewall evasion and penetration, testing
and map. Dash s Capitol. Why is an S C T. P in its can
is quick and reliable,
but not many hosts and service is on the Internet currently used scdp, which is a transport layer protocol developed mostly for use in the telecom world.
This certainly may change in the future, so keep this one in your toolbox
and map. Dash s Capitol A is a TCP X can. In other words, it sets the AC flag in the initial probe.
This one is different from the other scans because it doesn't attempt to determine if a port is open or open filtered.
It is used to map out firewall rule sets to determine whether they're state full or not, and which boards air filtered.
This scan could be slow if many ports are determined, filtered
and map. Dash s capital W is a TCP window scan is the same as the TCP Axe can accept that it examines the TCP headers window field of the returned RST packet.
Not many systems on the Internet respond
and map. Dash s Capital M is a TCP Maimon scan, which is named after the guy who described the technique in the nineties.
It was effective to determine if BSD derived systems had open ports.
Modern systems rarely exhibit the bug exploited by the skin.
Now, for some out of state scan techniques used for firewall evasion,
the big advantage of these scans is that they can sneak through some non state full firewalls and packet filtering routers. Also,
they are slightly more stealthy than a seance can
consider them as a secondary scanning technique to gather additional information about a host
and map Dash s capital and is a null scan. So all TCP flags are set to zero or off
and production environments. Every TCP packet has at least one flag set.
Every host should respond with RST packets in the response. The port is considered open if no reply has received
and map Dash s capital F is a fin scan and sets the TCP Finn bit toe one
in normal TV communication, the fin flag is set at the end of a conversation, typically to suggest the data transfer is complete.
So if you set the fin bit toe one in an initial conversation, the target will respond within RST to reset the connection.
When in Matt receives an RST, it knows that the host is alive
and map Dash s Capital X
It sets the fin push and urge flags toe one.
When you examine this from the receiving end, using a packet sniffer,
it looks as though every other flag is set. So it looks like blinky lights that might might be on a Christmas tree
like the NULL scan and Finn scan. If in RST packet has received back, the port is considered closed,
while no response means it is open and filtered.
I'm including the end map Dash B
in this section because
it has the ability to exploit an old vulnerability in FTP, defined in R F. C 9 59 called proxy FTP connections.
Since FTP servers are often outward facing yet accessible from the inside of a network, you can use this technique to ask FTP servers to send a file to each interesting port of a target host inside the network.
If an attacker finds an FTP server accessible from the outside, they quickly check to see if that server is vulnerable to this exploitation by running the FTP dash bounce and a C script.
In this lesson we talked about and maps can techniques. First, we talked about what a scan technique is and where the different scan types should be placed in an unmapped statement.
Next, I walked you through the most popular scan techniques,
and finally we discussed some more advanced scan techniques and some that are rarely used in an effective
in the next lesson, I'll walk you through a lab.
I probably won't run every single one of the scans provided in this lesson.
You could do that yourself. In your own exploration,
however, I will walk you through the ones you need to know for every day and map usage, and we'll show you how to combine certain scan techniques and how to look at the results.
Thanks so much for going through this lesson with me and I'll see you again in the next one.