Okay, now into the lab
in this lab, I'll walk you through my favorite host, Discovery Options. I'll show you how, when and why Use them. Then I'll show you something that I've found wrong in the end. Map documentation using in map 7.70 on both Windows A Mac and Callie.
And finally, I'll remind you of how to increase the output detail in your scan and also how to get a quick and easy running status of your scan.
Okay, welcome to the lab. On in Matt Post Discovery.
I'm just gonna get started with an and Maps can.
All right, This is a list scan of a public network space it's of, and maps
before I start, I want to mention that adjusting the timing of the scan will have little effect on the speed of its results because is simply doing a reverse D. N s look up of all identified targets.
if I put a dash t t four
or T five here to speed up the scan,
It makes it no faster.
the scan is great against public networks for reconnaissance and provides really get insight for the next phase. In a penetration test, which is scanning,
So this is a slash 24 of ah public network space. And you saw how fast that was 7.54 seconds.
This is great information you're seeing. I p addresses and reversed name look ups of all of these
so now let's jump in and do my favorite scan. This is Ah, map, Dash Ascend.
This is a pink sweep of my entire internal flat network.
The skin is awesome because it quickly identifies all responding hosts and gives me their name
and Mac address. It also sets you up for learning interesting targets. It doesn't, however, do a port scan.
If you want to do a port scan and don't mind waiting a little longer, do the following host Discovery Scan.
I'll go ahead and run this one and show you the results.
Okay, so it's scanned my entire internal network slash 24 you can see some of the results here did it in 6.54 seconds
names, fully qualified domain names. Internally,
I p address Mac address and then it figures out, based on the first half of the bits of the
Ah, what the manufacturer is.
So that's a really, really cool scan, especially on an internal network.
Okay, so let's move on to the no Ping scan that is N map dash Capital, P N.
So what this does is it skips host Discovery, and it runs a TCBY based scan of everything
the skin takes awhile because it scans all 1000 ports of every device on the identify network.
You can it enter to see the status of the of the current stage. And that's a tip that I wanted to give you, and I'll show it to you in a second.
All the skins that start with Dash Capital P
and then a letter do this. In my experience, the unmapped documentation suggests that you can put the TCP ports you want to scan right after the second letter,
however, inversion 7.70 on a PC Mac and Callie box. It doesn't do this for me. Instead, you have to use the dash P
than the port number, and I'll show you a couple of examples of what I'm talking about. First, I want to go out and run this scan,
and it takes a really long time
because it's scanning every single host on the network whether it finds it up or not.
That's why it calls it a no ping because it really doesn't do host discovery.
All right, now I'm gonna show you what I was talking about. As far as gathering status information, if you hit enter,
I've hit it three times. Now you can see it's telling me about the percentage done of the scan,
and it tells me about the time remaining. Usually, tapes takes more time than that
and really, what it's telling you. It's that percentage done
on the current stage, which is right here since stealth scan timing.
So I'm not gonna wait that long.
It does provide good information, but
one of the things it does, though, is it's running
Ah 1000 Port scan. So that's why it takes so long.
And so now I want to show you a couple of examples of what I'm talking about.
On a little bit of the inconsistency between
what works and what's in the documentation online.
This is the same scan,
but of a single host. Okay? And I'm showing you just
supposedly just port 80
using a no ping scan
See it. It doesn't just scan port 80. It does get port 80 but it also gets a whole bunch of other stuff.
So I'll do Ah, TCP syn ping,
which is another host Discovery scan. And that is
all right. So this should just scan
33 89 while it did find 33. 89. Because that host does have 33 89 open. But again,
it got all the other ports.
So it does work. If you do traditional pork scanning techniques, it worked. Fine. So I'm gonna give you a couple more examples of that,
I could type, right.
This is a no ping scan, but I've done the regular port scanning technique, and that is to put a dash p a space and then the port number
and where you can put a cole in there too,
This is no ping scan of 1.10 and there you can see it on Lee. Scan for 80.
I'll do another one that is
clear screen on Mt. Dash Capital P s.
It's a TCBY pink T c P sin
All right, so just scan that one. So it's just a lot faster, and I'm just trying to show you the difference between what works and what's in the documentation
and the unmapped documentation is really, really good.
Um, it's just This is one place where I've noticed that it either hasn't been updated
since their latest releases, or
I'll leave that up to them to fix.
let's do an original no ping scan against the entire internal network using the strategy. So
before I did Ah and map Dash P and
1 92 that 1 68 1.10 24
And that was taking forever. So
let's do it with just a p 80
and then we have the results. 25 hosts up, scanned in 7.41 second's a lot faster, and it did that.
It did that No ping scan
lightning fast, and it did give us a lot more useful information.
it's much faster, in my opinion. The only way to do it without scanning 1000 ports and then map
and the whole point of host discovery is too narrow down your targets.
Poor scanning version detection and OS detection is where you want to skin.
Ah, bunch of ports, not during host Discovery. And I've already showed showing you scan techniques and we'll get into port scanning in OS and version detection later.
all right, uh, that's the end of this lab. Thanks so much for watching, and I'll show you more stuff in the next lab.
In this lesson, we covered the following. First we talked about what host Discovery is, and about where I think you should consider placing your host. Discovery options in N Maps can statements.
Second, we discussed the most popular and useful host Discovery options.
Next, I briefly talked to you through some of the other host discovery options, and finally we went through a quick lab, demonstrating the key concepts and commands provided in this lesson.
Thanks so much for working through this lesson with me, and I'll talk to you again in the next one