7 hours 1 minute
Welcome to the end. Maps can techniques, lab.
We have a lot to cover here, so let's get started.
So in the following lab will go through all of the main scan techniques used in and map, which are the sin scan. The TCP full connects Cannes.
UDP scans a combination of sin scans and you d be scans and we'll finish with the I P protocol scan.
There are a couple of times in the lab when I refer to a sin scan as a TCP scan. This is technically accurate, since a sin scan is a type of DCP scan because it uses TCP it later for.
But please understand the difference between the sin scan and a TCP full connects scan.
I do point out the differences, but just don't want you to be confused. All right, let's do it.
All right. Welcome to the end. Map scan techniques, lab.
Um, the first thing I wanted to do was show you in general, where I like to place my scan techniques in my and map statement,
so do the following.
Okay, so don't get too hung up in all the extra details here,
we're doing Ah, syn
I'm doing ports one through 100 of this host,
and then I'm out putting to output dot and map.
the main point here is that I like to put the scan technique at the beginning of the end. Maps can,
so I'll run this.
There it is.
I'll, uh, clear the screen.
All right, I'll do another one just to drive it home.
Do a TCP
Make it fast,
meaning that it's going to scan the 100 most popular ports.
And we'll go through all the ports scanning techniques in the next
Well, I'll put it, XML this time
again. The main point here is that I'm putting the scan technique right at the beginning of my scan.
It's not necessary, but it's really helpful, and it sets you up for success in your scans,
since all the other stuff afterwards depends on your scan technique.
Also, notice here that
the TCP connects Cannes is a lot slower than the default since can
took 23 seconds.
All right, I'll clear the screen again
right now. I wanted just prove to you that,
and map since Can is the default
and so I'll do a regular and map
scan that I p address with no scan technique specified.
so there's the results.
979 filtered ports.
There's the lake and see hostess up.
And it took 5.45 seconds.
And so that was
just a simple and map. And then the target.
Now modify. That will do. Ah, and map Dash s Capital s,
which is a sin scan
And the results of the scan should
basically be the same.
It took 5.62 seconds,
and you could see that there's 979 filter ports, just like
the other scan we did without specifying the scan technique.
Clear the screen.
All right, Now I want to show you
basically that a TCP connects Cannes is slower than an end map since can,
if you remember the since can that we just ran. Took 5.45 seconds. So do ah,
map Dash s Capital T of the same host.
It's slow enough that I might actually cut
some of it.
All right, there you go. Uh, that was waste lower than a sin scan. So my point there is
the since can is the default. But if your user does not have
raw packet privileges if you don't have a
privileged user or you're not running it as an administrator,
TCP scan is a default
scan technique, and so it's just a lot slower. The results are basically the same,
but it just took a lot longer to get get to those results. You can see appear that I'm running my command prompt as an administrator. So,
um, whenever possible, uh, if I were you, I'd prefer a TCP syn scan over. Ah, full connects Cannes.
All right, so clear the screen again.
Um, So I'm gonna run a couple of UDP scans here. They're slower than a seance can. And even sometimes they're even much slower than a TCP scan.
So, uh, and then the other point I wanted
drive home is that if you use the UDP scan, which is ah,
Dash s Capitol, you
TCP ports are not scanned by default, so it only scans UDP
to do it and map
as Capitol you.
If it's slow, I'll cut it from the video
and just show you the results.
All right, So it wasn't a slow as the DCP connects Cannes
in this case with 17.27 seconds,
eso I'll run it against another host. And that is my default gateway, which is a firewall.
We'll do a fast scan which will only scandal 100 ports.
And again, if this is too slow, I'll cut the video and just show you the results.
Okay? And there's the results. It took 100 and 12 seconds, so that was waste lower than the previous scan,
scandal? 1000 ports. So that just goes to show you that different UDP scans
against different devices can respond differently.
Um, the other thing. I wanted to, uh, touch on waas.
Uh, the results here. I blew through the commands but didn't really talk about the results. Can see in the previous scan that we have. Ah,
4 53 1 23 1 37 3 89 So those air the open ports from host 1.10
and notice that they're all UDP. Um, in other words, when you do ah s Capitol, you
scan technique UDP scan technique.
you're only going to get you tp responses.
All right, so clear the screen.
All right. So since I, uh
ah, udp scan on Lee gives you udp results, Which makes sense. Um,
a lot of times, what you're gonna want to do is combine UDP scan with a TCP scan, so we'll do. Ah,
and map. Dash s
you for you T. P
we'll do a fast scan.
All right, that was pretty fast. But you can see in the results. I've got
TCP and UDP responses
I did do a fast, so it was only 100 ports. It would've been a lot slower if I did the standard 1000 and left that dash capital f out.
So do another one will do it in that.
First, I'll clear the screen. Go and map. Dash s U
All right. Why don't you get too hung up on this, But basically here, I chose
ports one through 1024. So this will scan you DP ports and
of one through 1000 24 of this host this target.
All right. It took 10.13 seconds. That was pretty fast so you can see all the results there.
I got all the way up to port 3 89 you D p.
Okay, Now I'm gonna show you an I P protocol scan. This is really good, because it can inform you of protocols worth further investigation. Some operating systems that are non RFC compliant won't respond correctly, though, so just because it doesn't show open doesn't mean you shouldn't run additional, uh,
in different types of scans against it.
I'll show you what I mean. The second do it and map.
The command is the scan technique is s capital O.
And I'll run this skin as it is, and it might be really slow. So if it is, I'll cut the video and show you the results.
I think that the skin is so slow that I might stop it
show you again how you can speed up the scan, especially if it's a device that's on your local network.
All right, so I'm already kind of tired of waiting for that. So, control, see to stop it
and we'll do
the same thing.
But I'm not put timing of
t five, which is insane.
Don't do this at work or school, cause
it's definitely gonna hit an I d. S if there is one.
All right, so that was a lot faster. Six and 1/2 seconds. If I would have let that other scan run, it probably taken,
I don't know. Maybe more than a minute to run.
the main thing I want to show you here is that
protocol one, which is ICMP, is open
Protocol six, which is TCP is open,
that gives you really get information. So
if I run a ping
against that same device, which is one that 1 92.1 68 that one dot to 54
it's very possible that I'll get a response since ICMP was open.
And I did
all right. And also
TCP shows to be open. So means that it will probably respond with a lot of good information with in an S
s capital s or a sin scan.
You can see all the open ports
running the sin scan.
All right. And I'm gonna do another. Uh
I'm going to do another I p protocol scan against a different host.
Do you want that one?
Make it insane
again. On this one, we see ICMP anti CP open.
I'll do one more. Do it against 1.10.
All right, this is an example of maybe some non rfc compliance. This is my internal Windows server at 1.10
and it is only showing ICMP to be open. There's no other responses, even though we know that they're waas
responses and open ports with the sin scan.
All right, so that's the end of our scan techniques lab play around with the scans, and if you can install wire shark on your scanning station and or your target
and look at the packets,
Thank you so much. And I'll see you in the next one.
Okay, so we walked through all of the main scan techniques used in and map, which are the sin scan. The DCP full connects. Can you? UDP scans a combination of sin and UDP scans, and we finished with several I p protocol scans. I showed you why I like to put the scan technique at the beginning of my end map statement,
and I talked to you about the speed and reliability of the results of the various scans.
Thank you so much for going through this lesson with me and I'll see you in the next lesson.
Offensive Penetration Testing
As a pentester, you need to understand the methods of real-life attackers and use the ...
22 CEU/CPE Hours Available
Certificate of Completion Offered
Scanning and Mapping Networks
Students will use Zenmap to scan a network segment in order to create an updated ...