Scan Techniques Lab - NM

00:00

Welcome to the end. Maps can techniques, lab.

00:03

We have a lot to cover here, so let's get started.

00:06

So in the following lab will go through all of the main scan techniques used in and map, which are the sin scan. The TCP full connects Cannes.

00:15

UDP scans a combination of sin scans and you d be scans and we'll finish with the I P protocol scan.

00:23

There are a couple of times in the lab when I refer to a sin scan as a TCP scan. This is technically accurate, since a sin scan is a type of DCP scan because it uses TCP it later for.

00:34

But please understand the difference between the sin scan and a TCP full connects scan.

00:39

I do point out the differences, but just don't want you to be confused. All right, let's do it.

00:45

All right. Welcome to the end. Map scan techniques, lab.

00:49

Um, the first thing I wanted to do was show you in general, where I like to place my scan techniques in my and map statement,

00:59

so do the following.

01:14

Okay, so don't get too hung up in all the extra details here,

01:18

but basically,

01:19

we're doing Ah, syn

01:21

scan.

01:23

I'm doing ports one through 100 of this host,

01:27

and then I'm out putting to output dot and map.

01:33

And

01:34

the main point here is that I like to put the scan technique at the beginning of the end. Maps can,

01:40

so I'll run this.

01:49

There it is.

01:51

I'll, uh, clear the screen.

01:53

All right, I'll do another one just to drive it home.

01:59

Do a TCP

02:00

scan.

02:04

Make it fast,

02:05

meaning that it's going to scan the 100 most popular ports.

02:08

And we'll go through all the ports scanning techniques in the next

02:14

lesson.

02:17

Well, I'll put it, XML this time

02:23

again. The main point here is that I'm putting the scan technique right at the beginning of my scan.

02:28

It's not necessary, but it's really helpful, and it sets you up for success in your scans,

02:38

since all the other stuff afterwards depends on your scan technique.

02:50

Also, notice here that

02:52

the TCP connects Cannes is a lot slower than the default since can

03:00

took 23 seconds.

03:04

All right, I'll clear the screen again

03:08

right now. I wanted just prove to you that,

03:12

but the

03:14

and map since Can is the default

03:16

and so I'll do a regular and map

03:22

scan that I p address with no scan technique specified.

03:28

Hit. Enter.

03:35

All right,

03:36

so there's the results.

03:38

979 filtered ports.

03:40

There's the lake and see hostess up.

03:44

Mac address.

03:45

And it took 5.45 seconds.

03:47

And so that was

03:50

just a simple and map. And then the target.

03:53

Now modify. That will do. Ah, and map Dash s Capital s,

04:00

which is a sin scan

04:02

hit. Enter.

04:04

And the results of the scan should

04:06

basically be the same.

04:09

It took 5.62 seconds,

04:12

and you could see that there's 979 filter ports, just like

04:15

the other scan we did without specifying the scan technique.

04:21

All right,

04:25

clear that.

04:26

Clear the screen.

04:29

All right, Now I want to show you

04:31

basically that a TCP connects Cannes is slower than an end map since can,

04:39

if you remember the since can that we just ran. Took 5.45 seconds. So do ah,

04:44

map Dash s Capital T of the same host.

04:55

It's slow enough that I might actually cut

04:58

some of it.

05:03

All right, there you go. Uh, that was waste lower than a sin scan. So my point there is

05:11

that

05:12

the since can is the default. But if your user does not have

05:16

raw packet privileges if you don't have a

05:20

privileged user or you're not running it as an administrator,

05:25

um, that

05:26

TCP scan is a default

05:29

scan technique, and so it's just a lot slower. The results are basically the same,

05:33

but it just took a lot longer to get get to those results. You can see appear that I'm running my command prompt as an administrator. So,

05:43

um, whenever possible, uh, if I were you, I'd prefer a TCP syn scan over. Ah, full connects Cannes.

05:53

All right, so clear the screen again.

05:57

Um, So I'm gonna run a couple of UDP scans here. They're slower than a seance can. And even sometimes they're even much slower than a TCP scan.

06:06

So, uh, and then the other point I wanted

06:10

drive home is that if you use the UDP scan, which is ah,

06:15

Dash s Capitol, you

06:17

TCP ports are not scanned by default, so it only scans UDP

06:24

to do it and map

06:27

as Capitol you.

06:32

If it's slow, I'll cut it from the video

06:34

and just show you the results.

06:50

All right, So it wasn't a slow as the DCP connects Cannes

06:54

in this case with 17.27 seconds,

06:58

eso I'll run it against another host. And that is my default gateway, which is a firewall.

07:06

We'll do a fast scan which will only scandal 100 ports.

07:13

And again, if this is too slow, I'll cut the video and just show you the results.

07:23

Okay? And there's the results. It took 100 and 12 seconds, so that was waste lower than the previous scan,

07:29

which

07:30

scandal? 1000 ports. So that just goes to show you that different UDP scans

07:35

against different devices can respond differently.

07:40

Um, the other thing. I wanted to, uh, touch on waas.

07:44

Uh, the results here. I blew through the commands but didn't really talk about the results. Can see in the previous scan that we have. Ah,

07:53

4 53 1 23 1 37 3 89 So those air the open ports from host 1.10

08:05

and notice that they're all UDP. Um, in other words, when you do ah s Capitol, you

08:11

scan technique UDP scan technique.

08:15

Um,

08:16

you're only going to get you tp responses.

08:20

All right, so clear the screen.

08:26

All right. So since I, uh

08:30

ah, udp scan on Lee gives you udp results, Which makes sense. Um,

08:37

a lot of times, what you're gonna want to do is combine UDP scan with a TCP scan, so we'll do. Ah,

08:43

and map. Dash s

08:46

you for you T. P

08:48

s?

08:50

Yes,

08:50

we'll do a fast scan.

08:58

Enter.

09:03

All right, that was pretty fast. But you can see in the results. I've got

09:09

TCP and UDP responses

09:13

open ports.

09:15

Um,

09:16

I did do a fast, so it was only 100 ports. It would've been a lot slower if I did the standard 1000 and left that dash capital f out.

09:24

So do another one will do it in that.

09:28

First, I'll clear the screen. Go and map. Dash s U

09:33

pass.

09:41

All right. Why don't you get too hung up on this, But basically here, I chose

09:48

ports one through 1024. So this will scan you DP ports and

09:54

TCP ports

09:54

of one through 1000 24 of this host this target.

10:11

All right. It took 10.13 seconds. That was pretty fast so you can see all the results there.

10:18

I got all the way up to port 3 89 you D p.

10:24

Okay, Now I'm gonna show you an I P protocol scan. This is really good, because it can inform you of protocols worth further investigation. Some operating systems that are non RFC compliant won't respond correctly, though, so just because it doesn't show open doesn't mean you shouldn't run additional, uh,

10:43

in different types of scans against it.

10:46

I'll show you what I mean. The second do it and map.

10:50

The command is the scan technique is s capital O.

11:00

And I'll run this skin as it is, and it might be really slow. So if it is, I'll cut the video and show you the results.

11:09

In fact,

11:11

I think that the skin is so slow that I might stop it

11:16

and

11:18

show you again how you can speed up the scan, especially if it's a device that's on your local network.

11:31

All right, so I'm already kind of tired of waiting for that. So, control, see to stop it

11:37

and we'll do

11:41

the same thing.

11:41

But I'm not put timing of

11:46

t five, which is insane.

11:52

Don't do this at work or school, cause

11:54

it's definitely gonna hit an I d. S if there is one.

11:56

All right, so that was a lot faster. Six and 1/2 seconds. If I would have let that other scan run, it probably taken,

12:03

I don't know. Maybe more than a minute to run.

12:07

So

12:09

the main thing I want to show you here is that

12:13

protocol one, which is ICMP, is open

12:16

Protocol six, which is TCP is open,

12:20

and so

12:22

that gives you really get information. So

12:24

if I run a ping

12:26

against that same device, which is one that 1 92.1 68 that one dot to 54

12:35

it's very possible that I'll get a response since ICMP was open.

12:41

And I did

12:45

all right. And also

12:48

TCP shows to be open. So means that it will probably respond with a lot of good information with in an S

12:58

s capital s or a sin scan.

13:15

You can see all the open ports

13:16

running the sin scan.

13:31

All right. And I'm gonna do another. Uh

13:33

um

13:35

I'm going to do another I p protocol scan against a different host.

13:45

Do you want that one?

13:50

Make it insane

14:03

again. On this one, we see ICMP anti CP open.

14:09

I'll do one more. Do it against 1.10.

14:18

All right, this is an example of maybe some non rfc compliance. This is my internal Windows server at 1.10

14:26

and it is only showing ICMP to be open. There's no other responses, even though we know that they're waas

14:35

responses and open ports with the sin scan.

14:39

All right, so that's the end of our scan techniques lab play around with the scans, and if you can install wire shark on your scanning station and or your target

14:50

and look at the packets,

14:52

Thank you so much. And I'll see you in the next one.

14:56

Okay, so we walked through all of the main scan techniques used in and map, which are the sin scan. The DCP full connects. Can you? UDP scans a combination of sin and UDP scans, and we finished with several I p protocol scans. I showed you why I like to put the scan technique at the beginning of my end map statement,

15:16

and I talked to you about the speed and reliability of the results of the various scans.