NMAP

Course
Time
6 hours 31 minutes
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:00
Welcome to the end. Maps can techniques, lab.
00:03
We have a lot to cover here, so let's get started.
00:06
So in the following lab will go through all of the main scan techniques used in and map, which are the sin scan. The TCP full connects Cannes.
00:15
UDP scans a combination of sin scans and you d be scans and we'll finish with the I P protocol scan.
00:23
There are a couple of times in the lab when I refer to a sin scan as a TCP scan. This is technically accurate, since a sin scan is a type of DCP scan because it uses TCP it later for.
00:34
But please understand the difference between the sin scan and a TCP full connects scan.
00:39
I do point out the differences, but just don't want you to be confused. All right, let's do it.
00:45
All right. Welcome to the end. Map scan techniques, lab.
00:49
Um, the first thing I wanted to do was show you in general, where I like to place my scan techniques in my and map statement,
00:59
so do the following.
01:14
Okay, so don't get too hung up in all the extra details here,
01:18
but basically,
01:19
we're doing Ah, syn
01:21
scan.
01:23
I'm doing ports one through 100 of this host,
01:27
and then I'm out putting to output dot and map.
01:33
And
01:34
the main point here is that I like to put the scan technique at the beginning of the end. Maps can,
01:40
so I'll run this.
01:49
There it is.
01:51
I'll, uh, clear the screen.
01:53
All right, I'll do another one just to drive it home.
01:59
Do a TCP
02:00
scan.
02:04
Make it fast,
02:05
meaning that it's going to scan the 100 most popular ports.
02:08
And we'll go through all the ports scanning techniques in the next
02:14
lesson.
02:17
Well, I'll put it, XML this time
02:23
again. The main point here is that I'm putting the scan technique right at the beginning of my scan.
02:28
It's not necessary, but it's really helpful, and it sets you up for success in your scans,
02:38
since all the other stuff afterwards depends on your scan technique.
02:50
Also, notice here that
02:52
the TCP connects Cannes is a lot slower than the default since can
03:00
took 23 seconds.
03:04
All right, I'll clear the screen again
03:08
right now. I wanted just prove to you that,
03:12
but the
03:14
and map since Can is the default
03:16
and so I'll do a regular and map
03:22
scan that I p address with no scan technique specified.
03:28
Hit. Enter.
03:35
All right,
03:36
so there's the results.
03:38
979 filtered ports.
03:40
There's the lake and see hostess up.
03:44
Mac address.
03:45
And it took 5.45 seconds.
03:47
And so that was
03:50
just a simple and map. And then the target.
03:53
Now modify. That will do. Ah, and map Dash s Capital s,
04:00
which is a sin scan
04:02
hit. Enter.
04:04
And the results of the scan should
04:06
basically be the same.
04:09
It took 5.62 seconds,
04:12
and you could see that there's 979 filter ports, just like
04:15
the other scan we did without specifying the scan technique.
04:21
All right,
04:25
clear that.
04:26
Clear the screen.
04:29
All right, Now I want to show you
04:31
basically that a TCP connects Cannes is slower than an end map since can,
04:39
if you remember the since can that we just ran. Took 5.45 seconds. So do ah,
04:44
map Dash s Capital T of the same host.
04:55
It's slow enough that I might actually cut
04:58
some of it.
05:03
All right, there you go. Uh, that was waste lower than a sin scan. So my point there is
05:11
that
05:12
the since can is the default. But if your user does not have
05:16
raw packet privileges if you don't have a
05:20
privileged user or you're not running it as an administrator,
05:25
um, that
05:26
TCP scan is a default
05:29
scan technique, and so it's just a lot slower. The results are basically the same,
05:33
but it just took a lot longer to get get to those results. You can see appear that I'm running my command prompt as an administrator. So,
05:43
um, whenever possible, uh, if I were you, I'd prefer a TCP syn scan over. Ah, full connects Cannes.
05:53
All right, so clear the screen again.
05:57
Um, So I'm gonna run a couple of UDP scans here. They're slower than a seance can. And even sometimes they're even much slower than a TCP scan.
06:06
So, uh, and then the other point I wanted
06:10
drive home is that if you use the UDP scan, which is ah,
06:15
Dash s Capitol, you
06:17
TCP ports are not scanned by default, so it only scans UDP
06:24
to do it and map
06:27
as Capitol you.
06:32
If it's slow, I'll cut it from the video
06:34
and just show you the results.
06:50
All right, So it wasn't a slow as the DCP connects Cannes
06:54
in this case with 17.27 seconds,
06:58
eso I'll run it against another host. And that is my default gateway, which is a firewall.
07:06
We'll do a fast scan which will only scandal 100 ports.
07:13
And again, if this is too slow, I'll cut the video and just show you the results.
07:23
Okay? And there's the results. It took 100 and 12 seconds, so that was waste lower than the previous scan,
07:29
which
07:30
scandal? 1000 ports. So that just goes to show you that different UDP scans
07:35
against different devices can respond differently.
07:40
Um, the other thing. I wanted to, uh, touch on waas.
07:44
Uh, the results here. I blew through the commands but didn't really talk about the results. Can see in the previous scan that we have. Ah,
07:53
4 53 1 23 1 37 3 89 So those air the open ports from host 1.10
08:05
and notice that they're all UDP. Um, in other words, when you do ah s Capitol, you
08:11
scan technique UDP scan technique.
08:15
Um,
08:16
you're only going to get you tp responses.
08:20
All right, so clear the screen.
08:26
All right. So since I, uh
08:30
ah, udp scan on Lee gives you udp results, Which makes sense. Um,
08:37
a lot of times, what you're gonna want to do is combine UDP scan with a TCP scan, so we'll do. Ah,
08:43
and map. Dash s
08:46
you for you T. P
08:48
s?
08:50
Yes,
08:50
we'll do a fast scan.
08:58
Enter.
09:03
All right, that was pretty fast. But you can see in the results. I've got
09:09
TCP and UDP responses
09:13
open ports.
09:15
Um,
09:16
I did do a fast, so it was only 100 ports. It would've been a lot slower if I did the standard 1000 and left that dash capital f out.
09:24
So do another one will do it in that.
09:28
First, I'll clear the screen. Go and map. Dash s U
09:33
pass.
09:41
All right. Why don't you get too hung up on this, But basically here, I chose
09:48
ports one through 1024. So this will scan you DP ports and
09:54
TCP ports
09:54
of one through 1000 24 of this host this target.
10:11
All right. It took 10.13 seconds. That was pretty fast so you can see all the results there.
10:18
I got all the way up to port 3 89 you D p.
10:24
Okay, Now I'm gonna show you an I P protocol scan. This is really good, because it can inform you of protocols worth further investigation. Some operating systems that are non RFC compliant won't respond correctly, though, so just because it doesn't show open doesn't mean you shouldn't run additional, uh,
10:43
in different types of scans against it.
10:46
I'll show you what I mean. The second do it and map.
10:50
The command is the scan technique is s capital O.
11:00
And I'll run this skin as it is, and it might be really slow. So if it is, I'll cut the video and show you the results.
11:09
In fact,
11:11
I think that the skin is so slow that I might stop it
11:16
and
11:18
show you again how you can speed up the scan, especially if it's a device that's on your local network.
11:31
All right, so I'm already kind of tired of waiting for that. So, control, see to stop it
11:37
and we'll do
11:41
the same thing.
11:41
But I'm not put timing of
11:46
t five, which is insane.
11:52
Don't do this at work or school, cause
11:54
it's definitely gonna hit an I d. S if there is one.
11:56
All right, so that was a lot faster. Six and 1/2 seconds. If I would have let that other scan run, it probably taken,
12:03
I don't know. Maybe more than a minute to run.
12:07
So
12:09
the main thing I want to show you here is that
12:13
protocol one, which is ICMP, is open
12:16
Protocol six, which is TCP is open,
12:20
and so
12:22
that gives you really get information. So
12:24
if I run a ping
12:26
against that same device, which is one that 1 92.1 68 that one dot to 54
12:35
it's very possible that I'll get a response since ICMP was open.
12:41
And I did
12:45
all right. And also
12:48
TCP shows to be open. So means that it will probably respond with a lot of good information with in an S
12:58
s capital s or a sin scan.
13:15
You can see all the open ports
13:16
running the sin scan.
13:31
All right. And I'm gonna do another. Uh
13:33
um
13:35
I'm going to do another I p protocol scan against a different host.
13:45
Do you want that one?
13:50
Make it insane
14:03
again. On this one, we see ICMP anti CP open.
14:09
I'll do one more. Do it against 1.10.
14:18
All right, this is an example of maybe some non rfc compliance. This is my internal Windows server at 1.10
14:26
and it is only showing ICMP to be open. There's no other responses, even though we know that they're waas
14:35
responses and open ports with the sin scan.
14:39
All right, so that's the end of our scan techniques lab play around with the scans, and if you can install wire shark on your scanning station and or your target
14:50
and look at the packets,
14:52
Thank you so much. And I'll see you in the next one.
14:56
Okay, so we walked through all of the main scan techniques used in and map, which are the sin scan. The DCP full connects. Can you? UDP scans a combination of sin and UDP scans, and we finished with several I p protocol scans. I showed you why I like to put the scan technique at the beginning of my end map statement,
15:16
and I talked to you about the speed and reliability of the results of the various scans.
15:22
Thank you so much for going through this lesson with me and I'll see you in the next lesson.

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor