Host Discovery Part 2 - NM

00:00

Okay, now into the lab

00:01

in this lab, I'll walk you through my favorite host, Discovery Options. I'll show you how, when and why Use them. Then I'll show you something that I've found wrong in the end. Map documentation using in map 7.70 on both Windows A Mac and Callie.

00:18

And finally, I'll remind you of how to increase the output detail in your scan and also how to get a quick and easy running status of your scan.

00:29

Okay, welcome to the lab. On in Matt Post Discovery.

00:32

I'm just gonna get started with an and Maps can.

00:42

All right, This is a list scan of a public network space it's of, and maps

00:48

preferred scanning

00:50

space. Actually,

00:51

before I start, I want to mention that adjusting the timing of the scan will have little effect on the speed of its results because is simply doing a reverse D. N s look up of all identified targets.

01:02

So in other words,

01:04

if I put a dash t t four

01:08

or T five here to speed up the scan,

01:11

it'll do nothing.

01:12

It makes it no faster.

01:15

Um,

01:17

the scan is great against public networks for reconnaissance and provides really get insight for the next phase. In a penetration test, which is scanning,

01:26

I'll run it.

01:32

So this is a slash 24 of ah public network space. And you saw how fast that was 7.54 seconds.

01:38

This is great information you're seeing. I p addresses and reversed name look ups of all of these

01:47

responding hosts.

01:56

Okay,

02:00

so now let's jump in and do my favorite scan. This is Ah, map, Dash Ascend.

02:10

This is a pink sweep of my entire internal flat network.

02:15

The skin is awesome because it quickly identifies all responding hosts and gives me their name

02:21

and Mac address. It also sets you up for learning interesting targets. It doesn't, however, do a port scan.

02:29

If you want to do a port scan and don't mind waiting a little longer, do the following host Discovery Scan.

02:34

I'll go ahead and run this one and show you the results.

02:43

Okay, so it's scanned my entire internal network slash 24 you can see some of the results here did it in 6.54 seconds

02:53

and it gives me

02:55

names, fully qualified domain names. Internally,

03:00

I p address Mac address and then it figures out, based on the first half of the bits of the

03:08

of the Mac address.

03:10

Ah, what the manufacturer is.

03:15

So that's a really, really cool scan, especially on an internal network.

03:23

Okay, so let's move on to the no Ping scan that is N map dash Capital, P N.

03:35

So what this does is it skips host Discovery, and it runs a TCBY based scan of everything

03:39

the skin takes awhile because it scans all 1000 ports of every device on the identify network.

03:46

You can it enter to see the status of the of the current stage. And that's a tip that I wanted to give you, and I'll show it to you in a second.

03:54

All the skins that start with Dash Capital P

03:59

and then a letter do this. In my experience, the unmapped documentation suggests that you can put the TCP ports you want to scan right after the second letter,

04:10

however, inversion 7.70 on a PC Mac and Callie box. It doesn't do this for me. Instead, you have to use the dash P

04:18

than the port number, and I'll show you a couple of examples of what I'm talking about. First, I want to go out and run this scan,

04:26

and it takes a really long time

04:30

because it's scanning every single host on the network whether it finds it up or not.

04:35

That's why it calls it a no ping because it really doesn't do host discovery.

04:43

All right, now I'm gonna show you what I was talking about. As far as gathering status information, if you hit enter,

04:51

I've hit it three times. Now you can see it's telling me about the percentage done of the scan,

04:59

and it tells me about the time remaining. Usually, tapes takes more time than that

05:04

and really, what it's telling you. It's that percentage done

05:10

on the current stage, which is right here since stealth scan timing.

05:15

So I'm not gonna wait that long.

05:17

It does provide good information, but

05:20

one of the things it does, though, is it's running

05:23

Ah 1000 Port scan. So that's why it takes so long.

05:27

May control, see

05:30

clear the screen.

05:32

And so now I want to show you a couple of examples of what I'm talking about.

05:38

On a little bit of the inconsistency between

05:41

what works and what's in the documentation online.

05:44

So do it in map.

05:46

This is the same scan,

05:50

but of a single host. Okay? And I'm showing you just

05:55

supposedly just port 80

05:58

using a no ping scan

06:01

hit. Enter.

06:03

See it. It doesn't just scan port 80. It does get port 80 but it also gets a whole bunch of other stuff.

06:12

So I'll do Ah, TCP syn ping,

06:15

which is another host Discovery scan. And that is

06:28

all right. So this should just scan

06:30

33 89 while it did find 33. 89. Because that host does have 33 89 open. But again,

06:39

it got all the other ports.

06:42

So it does work. If you do traditional pork scanning techniques, it worked. Fine. So I'm gonna give you a couple more examples of that,

06:50

so

06:54

I'll do Ah,

06:55

and map.

07:05

I could type, right.

07:09

This is a no ping scan, but I've done the regular port scanning technique, and that is to put a dash p a space and then the port number

07:18

and where you can put a cole in there too,

07:21

will enter.

07:23

This is no ping scan of 1.10 and there you can see it on Lee. Scan for 80.

07:29

I'll do another one that is

07:32

clear screen on Mt. Dash Capital P s.

07:38

It's a TCBY pink T c P sin

07:42

being

07:46

of the same host,

07:51

All right, so just scan that one. So it's just a lot faster, and I'm just trying to show you the difference between what works and what's in the documentation

08:01

and the unmapped documentation is really, really good.

08:05

Um, it's just This is one place where I've noticed that it either hasn't been updated

08:11

since their latest releases, or

08:15

or whatever, so

08:16

I'll leave that up to them to fix.

08:18

So

08:20

let's do an original no ping scan against the entire internal network using the strategy. So

08:26

before I did Ah and map Dash P and

08:31

1 92 that 1 68 1.10 24

08:37

And that was taking forever. So

08:41

let's do it with just a p 80

08:54

and then we have the results. 25 hosts up, scanned in 7.41 second's a lot faster, and it did that.

09:03

It did that No ping scan

09:05

lightning fast, and it did give us a lot more useful information.

09:13

All right, so

09:16

it's much faster, in my opinion. The only way to do it without scanning 1000 ports and then map

09:20

and the whole point of host discovery is too narrow down your targets.

09:24

Poor scanning version detection and OS detection is where you want to skin.

09:28

Ah, bunch of ports, not during host Discovery. And I've already showed showing you scan techniques and we'll get into port scanning in OS and version detection later.

09:39

So

09:39

all right, uh, that's the end of this lab. Thanks so much for watching, and I'll show you more stuff in the next lab.

09:48

In this lesson, we covered the following. First we talked about what host Discovery is, and about where I think you should consider placing your host. Discovery options in N Maps can statements.

10:00

Second, we discussed the most popular and useful host Discovery options.

10:05

Next, I briefly talked to you through some of the other host discovery options, and finally we went through a quick lab, demonstrating the key concepts and commands provided in this lesson.