NMAP

Course
Time
7 hours 1 minute
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:00
Okay, now into the lab
00:01
in this lab, I'll walk you through my favorite host, Discovery Options. I'll show you how, when and why Use them. Then I'll show you something that I've found wrong in the end. Map documentation using in map 7.70 on both Windows A Mac and Callie.
00:18
And finally, I'll remind you of how to increase the output detail in your scan and also how to get a quick and easy running status of your scan.
00:29
Okay, welcome to the lab. On in Matt Post Discovery.
00:32
I'm just gonna get started with an and Maps can.
00:42
All right, This is a list scan of a public network space it's of, and maps
00:48
preferred scanning
00:50
space. Actually,
00:51
before I start, I want to mention that adjusting the timing of the scan will have little effect on the speed of its results because is simply doing a reverse D. N s look up of all identified targets.
01:02
So in other words,
01:04
if I put a dash t t four
01:08
or T five here to speed up the scan,
01:11
it'll do nothing.
01:12
It makes it no faster.
01:15
Um,
01:17
the scan is great against public networks for reconnaissance and provides really get insight for the next phase. In a penetration test, which is scanning,
01:26
I'll run it.
01:32
So this is a slash 24 of ah public network space. And you saw how fast that was 7.54 seconds.
01:38
This is great information you're seeing. I p addresses and reversed name look ups of all of these
01:47
responding hosts.
01:56
Okay,
02:00
so now let's jump in and do my favorite scan. This is Ah, map, Dash Ascend.
02:10
This is a pink sweep of my entire internal flat network.
02:15
The skin is awesome because it quickly identifies all responding hosts and gives me their name
02:21
and Mac address. It also sets you up for learning interesting targets. It doesn't, however, do a port scan.
02:29
If you want to do a port scan and don't mind waiting a little longer, do the following host Discovery Scan.
02:34
I'll go ahead and run this one and show you the results.
02:43
Okay, so it's scanned my entire internal network slash 24 you can see some of the results here did it in 6.54 seconds
02:53
and it gives me
02:55
names, fully qualified domain names. Internally,
03:00
I p address Mac address and then it figures out, based on the first half of the bits of the
03:08
of the Mac address.
03:10
Ah, what the manufacturer is.
03:15
So that's a really, really cool scan, especially on an internal network.
03:23
Okay, so let's move on to the no Ping scan that is N map dash Capital, P N.
03:35
So what this does is it skips host Discovery, and it runs a TCBY based scan of everything
03:39
the skin takes awhile because it scans all 1000 ports of every device on the identify network.
03:46
You can it enter to see the status of the of the current stage. And that's a tip that I wanted to give you, and I'll show it to you in a second.
03:54
All the skins that start with Dash Capital P
03:59
and then a letter do this. In my experience, the unmapped documentation suggests that you can put the TCP ports you want to scan right after the second letter,
04:10
however, inversion 7.70 on a PC Mac and Callie box. It doesn't do this for me. Instead, you have to use the dash P
04:18
than the port number, and I'll show you a couple of examples of what I'm talking about. First, I want to go out and run this scan,
04:26
and it takes a really long time
04:30
because it's scanning every single host on the network whether it finds it up or not.
04:35
That's why it calls it a no ping because it really doesn't do host discovery.
04:43
All right, now I'm gonna show you what I was talking about. As far as gathering status information, if you hit enter,
04:51
I've hit it three times. Now you can see it's telling me about the percentage done of the scan,
04:59
and it tells me about the time remaining. Usually, tapes takes more time than that
05:04
and really, what it's telling you. It's that percentage done
05:10
on the current stage, which is right here since stealth scan timing.
05:15
So I'm not gonna wait that long.
05:17
It does provide good information, but
05:20
one of the things it does, though, is it's running
05:23
Ah 1000 Port scan. So that's why it takes so long.
05:27
May control, see
05:30
clear the screen.
05:32
And so now I want to show you a couple of examples of what I'm talking about.
05:38
On a little bit of the inconsistency between
05:41
what works and what's in the documentation online.
05:44
So do it in map.
05:46
This is the same scan,
05:50
but of a single host. Okay? And I'm showing you just
05:55
supposedly just port 80
05:58
using a no ping scan
06:01
hit. Enter.
06:03
See it. It doesn't just scan port 80. It does get port 80 but it also gets a whole bunch of other stuff.
06:12
So I'll do Ah, TCP syn ping,
06:15
which is another host Discovery scan. And that is
06:28
all right. So this should just scan
06:30
33 89 while it did find 33. 89. Because that host does have 33 89 open. But again,
06:39
it got all the other ports.
06:42
So it does work. If you do traditional pork scanning techniques, it worked. Fine. So I'm gonna give you a couple more examples of that,
06:50
so
06:54
I'll do Ah,
06:55
and map.
07:05
I could type, right.
07:09
This is a no ping scan, but I've done the regular port scanning technique, and that is to put a dash p a space and then the port number
07:18
and where you can put a cole in there too,
07:21
will enter.
07:23
This is no ping scan of 1.10 and there you can see it on Lee. Scan for 80.
07:29
I'll do another one that is
07:32
clear screen on Mt. Dash Capital P s.
07:38
It's a TCBY pink T c P sin
07:42
being
07:46
of the same host,
07:51
All right, so just scan that one. So it's just a lot faster, and I'm just trying to show you the difference between what works and what's in the documentation
08:01
and the unmapped documentation is really, really good.
08:05
Um, it's just This is one place where I've noticed that it either hasn't been updated
08:11
since their latest releases, or
08:15
or whatever, so
08:16
I'll leave that up to them to fix.
08:18
So
08:20
let's do an original no ping scan against the entire internal network using the strategy. So
08:26
before I did Ah and map Dash P and
08:31
1 92 that 1 68 1.10 24
08:37
And that was taking forever. So
08:41
let's do it with just a p 80
08:54
and then we have the results. 25 hosts up, scanned in 7.41 second's a lot faster, and it did that.
09:03
It did that No ping scan
09:05
lightning fast, and it did give us a lot more useful information.
09:13
All right, so
09:16
it's much faster, in my opinion. The only way to do it without scanning 1000 ports and then map
09:20
and the whole point of host discovery is too narrow down your targets.
09:24
Poor scanning version detection and OS detection is where you want to skin.
09:28
Ah, bunch of ports, not during host Discovery. And I've already showed showing you scan techniques and we'll get into port scanning in OS and version detection later.
09:39
So
09:39
all right, uh, that's the end of this lab. Thanks so much for watching, and I'll show you more stuff in the next lab.
09:48
In this lesson, we covered the following. First we talked about what host Discovery is, and about where I think you should consider placing your host. Discovery options in N Maps can statements.
10:00
Second, we discussed the most popular and useful host Discovery options.
10:05
Next, I briefly talked to you through some of the other host discovery options, and finally we went through a quick lab, demonstrating the key concepts and commands provided in this lesson.
10:15
Thanks so much for working through this lesson with me, and I'll talk to you again in the next one

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor