NMAP

Course
Time
7 hours 1 minute
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:01
Welcome to the end map TCP and UDP Port scanning lab.
00:05
This lab takes a little bit of time to go through, so I decided to separate it from the port. Scanning lesson itself.
00:11
Understanding how to tell and map what ports to scan is fundamental to creating and maps can statements. So this lab is one of the most important in the course.
00:20
I think you'll find it pretty easy once you see several examples and practice it for yourself.
00:26
Okay, Now on to the lab
00:28
in this lab, I'll show you how to create and run in map statements. That scan for specific ports
00:34
will run through a bunch of different options that include both TCP and you DP ports and quickly evaluate the results.
00:41
This slide shows you the steps will follow.
00:46
Welcome to the end map port scanning lab. So after you've
00:50
used host discovery options to narrow down your search to selected interesting targets, you need to get more granular about your scans in order to uncover potential vulnerabilities.
01:00
In this lab, I'll focus on scanning a Windows 2012 server.
01:03
I don't mean to harp on Windows servers too much, but they're very common And they have the potential, especially on a local network, to expose a lot of useful information to an attacker. Even when the built in host based firewall is enabled
01:17
on my network. My
01:19
2012 r to server is at the I P. Address 1 92 That 1 68.1 dot 10.
01:26
Okay, so we'll start with a regular and map scan, which, as you've heard a 1,000,000 times, it scans 1000 TCP ports using the sin scan.
01:34
And it's the same as, ah Dash s capital s So we'll do it in map Dash,
01:41
actually, and map 1 92.1 68 1.10
01:49
See all the open ports.
01:53
And that's the same as a
01:56
and Matt
01:57
Dash s s with the same I p address. I won't run it again.
02:01
You've seen a lot.
02:04
All right, So now we'll do, uh, and Matt dash
02:07
capital F.
02:10
And as you know, this scans
02:14
100 of the most popular DSP ports.
02:21
There you go. Pretty much the same. Results
02:24
and maps Really good about identifying what are the most common ports. So, in some scans, you won't see a difference between the open ports in 1000 port scan versus the 100 Port scan
02:37
or the fast scan.
02:40
Okay, So another thing that you could do
02:44
and we'll get into more details about UDP scans, but you could do and map Dash s u.
02:53
And what this will do is scan 1000 of the most popular UDP ports on this I p address. I'm not gonna run this skin because it takes a really long time.
03:04
Um, but feel free to do that on your own.
03:07
What I will do is show you that
03:10
a dash F a fast scan of the most
03:14
100 most popular you DP ports will work and doesn't take too long to run.
03:23
I enter to see the progress
03:32
enter again.
03:37
I'll go and let this run the scan complete even though it does take a little bit of time. UDP scanning is
03:45
it takes a lot longer to run than difficult TCB scanning
03:50
no matter what type of t c b skin that you run, really
03:53
especially a seance can since scans air so fast.
03:59
There you go. So you see the three open UDP ports and the responding service's
04:08
all right, so clear the screen, and now we'll do a combination. Of those two will do a fast UDP and TCP scan. So
04:16
this is ah n map. Dash s Capital s
04:20
for the sin scan
04:23
s Capitol. You
04:24
for the UDP scan and
04:27
dash capital F for the fast scan.
04:30
My target.
04:32
So the main thing I want to point out here is that
04:38
if you do A s Capitol, you it will only scan you tbe boards. So if you want to also add
04:46
TCP ports, you have to specify what type of DCP scan you wanna. D'oh. In this case, I'm just gonna do a seance can because it's fast and it's
04:54
it provides a lot of valuable information. So hit, enter.
05:01
So take a little bit longer than the last scan, since we've added the TCP
05:08
scan since can. But
05:10
surprisingly, it doesn't take much longer than that one.
05:18
There we go. So now you can see
05:21
reports the state,
05:24
the service
05:27
and you see T c, p and U DP ports
05:30
21.92 seconds.
05:35
Okay, so now we're gonna get into scanning specific ports using a TCP syn scan. So do it and map
05:43
dash p
05:45
for the port.
05:46
We'll do port 53
05:47
for D N s.
05:51
All right. So
05:53
Desh be a space and then the port number
05:57
against that target
06:02
and we see that that board is open.
06:06
All right, so that's how you specify one port.
06:10
So let's do and map Dash B.
06:13
We'll do 53
06:15
80
06:16
1 35
06:21
So when you want to specify multiple TCP ports,
06:25
just do a space
06:27
and then each port
06:29
separated by a comma.
06:33
You see how fast that is?
06:35
All three of those air open on my windows 2012 server.
06:42
Okay, so now I want to show you a little bit of a variation from that, and that is
06:57
Okay, So another thing that you can do is you can put a port range
07:00
and that's just separated by a dash. So I did a map Dash P space 53 4 53 a comma. And then this range of ports against this target
07:15
very fast,
07:17
and you could see the results.
07:21
What is that? Another thing you can d'oh in and map is Ugo unmapped Dash P and then a dash. And then the target groups
07:32
this scan
07:34
scans every single, all 65,535 ports. So it takes even with a sin scan, which is, you know, the default scan. It takes a really long time. So I'm not gonna run this one. I'll go ahead and hit Enter just for the heck of it, I guess,
07:50
Um,
07:54
and you can see
07:56
the status
07:59
so it takes about in this case, it takes about a minute and 1/2 probably. So I'm not gonna let that run. But
08:05
I just wanted to show you the syntax for scanning every single TCP ports.
08:11
All right, so another way that you can specify a port is by the service name. So we'll do it in Matt Dash B.
08:26
Oops.
08:30
And we're gonna scan against thes service's or applications. Um,
08:35
and you have to learn a little bit of the what end map calls. Each one of those service is I mean, they're pretty standard.
08:41
But
08:43
once you do learn, um, if this is the way that you want to do it, feel free.
08:48
If you can't remember the port number but can remember the service name
08:50
might be easier for you.
08:54
And the scan is Justus fast. So
08:58
there you can see the results.
09:03
Okay, so that's TCP Syn pork scanning, which is the default within Mt.

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor