7 hours 1 minute
Welcome to the end map TCP and UDP Port scanning lab.
This lab takes a little bit of time to go through, so I decided to separate it from the port. Scanning lesson itself.
Understanding how to tell and map what ports to scan is fundamental to creating and maps can statements. So this lab is one of the most important in the course.
I think you'll find it pretty easy once you see several examples and practice it for yourself.
Okay, Now on to the lab
in this lab, I'll show you how to create and run in map statements. That scan for specific ports
will run through a bunch of different options that include both TCP and you DP ports and quickly evaluate the results.
This slide shows you the steps will follow.
Welcome to the end map port scanning lab. So after you've
used host discovery options to narrow down your search to selected interesting targets, you need to get more granular about your scans in order to uncover potential vulnerabilities.
In this lab, I'll focus on scanning a Windows 2012 server.
I don't mean to harp on Windows servers too much, but they're very common And they have the potential, especially on a local network, to expose a lot of useful information to an attacker. Even when the built in host based firewall is enabled
on my network. My
2012 r to server is at the I P. Address 1 92 That 1 68.1 dot 10.
Okay, so we'll start with a regular and map scan, which, as you've heard a 1,000,000 times, it scans 1000 TCP ports using the sin scan.
And it's the same as, ah Dash s capital s So we'll do it in map Dash,
actually, and map 1 92.1 68 1.10
See all the open ports.
And that's the same as a
Dash s s with the same I p address. I won't run it again.
You've seen a lot.
All right, So now we'll do, uh, and Matt dash
And as you know, this scans
100 of the most popular DSP ports.
There you go. Pretty much the same. Results
and maps Really good about identifying what are the most common ports. So, in some scans, you won't see a difference between the open ports in 1000 port scan versus the 100 Port scan
or the fast scan.
Okay, So another thing that you could do
and we'll get into more details about UDP scans, but you could do and map Dash s u.
And what this will do is scan 1000 of the most popular UDP ports on this I p address. I'm not gonna run this skin because it takes a really long time.
Um, but feel free to do that on your own.
What I will do is show you that
a dash F a fast scan of the most
100 most popular you DP ports will work and doesn't take too long to run.
I enter to see the progress
I'll go and let this run the scan complete even though it does take a little bit of time. UDP scanning is
it takes a lot longer to run than difficult TCB scanning
no matter what type of t c b skin that you run, really
especially a seance can since scans air so fast.
There you go. So you see the three open UDP ports and the responding service's
all right, so clear the screen, and now we'll do a combination. Of those two will do a fast UDP and TCP scan. So
this is ah n map. Dash s Capital s
for the sin scan
s Capitol. You
for the UDP scan and
dash capital F for the fast scan.
So the main thing I want to point out here is that
if you do A s Capitol, you it will only scan you tbe boards. So if you want to also add
TCP ports, you have to specify what type of DCP scan you wanna. D'oh. In this case, I'm just gonna do a seance can because it's fast and it's
it provides a lot of valuable information. So hit, enter.
So take a little bit longer than the last scan, since we've added the TCP
scan since can. But
surprisingly, it doesn't take much longer than that one.
There we go. So now you can see
reports the state,
and you see T c, p and U DP ports
Okay, so now we're gonna get into scanning specific ports using a TCP syn scan. So do it and map
for the port.
We'll do port 53
for D N s.
All right. So
Desh be a space and then the port number
against that target
and we see that that board is open.
All right, so that's how you specify one port.
So let's do and map Dash B.
We'll do 53
So when you want to specify multiple TCP ports,
just do a space
and then each port
separated by a comma.
You see how fast that is?
All three of those air open on my windows 2012 server.
Okay, so now I want to show you a little bit of a variation from that, and that is
Okay, So another thing that you can do is you can put a port range
and that's just separated by a dash. So I did a map Dash P space 53 4 53 a comma. And then this range of ports against this target
and you could see the results.
What is that? Another thing you can d'oh in and map is Ugo unmapped Dash P and then a dash. And then the target groups
scans every single, all 65,535 ports. So it takes even with a sin scan, which is, you know, the default scan. It takes a really long time. So I'm not gonna run this one. I'll go ahead and hit Enter just for the heck of it, I guess,
and you can see
so it takes about in this case, it takes about a minute and 1/2 probably. So I'm not gonna let that run. But
I just wanted to show you the syntax for scanning every single TCP ports.
All right, so another way that you can specify a port is by the service name. So we'll do it in Matt Dash B.
And we're gonna scan against thes service's or applications. Um,
and you have to learn a little bit of the what end map calls. Each one of those service is I mean, they're pretty standard.
once you do learn, um, if this is the way that you want to do it, feel free.
If you can't remember the port number but can remember the service name
might be easier for you.
And the scan is Justus fast. So
there you can see the results.
Okay, so that's TCP Syn pork scanning, which is the default within Mt.