NMAP

Course
Time
7 hours 1 minute
Difficulty
Beginner
CEU/CPE
7

Video Transcription

00:01
and we'll do. And
00:03
a more targeted and sophisticated application service version detection scan will do and map Dash s s since Can Dash s Capitol you for UDP scan
00:15
Desh es
00:17
Dash
00:18
p
00:21
and we'll do port Will do TCP ports.
00:28
80
00:29
88
00:30
1 35
00:32
1 39
00:35
3 89
00:37
And for 43. Then you dp ports 1 23 and one
00:44
37.
00:46
And we'll make it a version detection scan
00:50
of 1 92 That 1 68 that 1.10.
00:54
And
00:56
we'll compare the differences in the in the amount of time it takes to run the scan versus the previous simple scan.
01:07
Okay, so there's the results. So we scanned more stuff or more critical stuff in 18.71 seconds compared to the 142 seconds it took to do the simple dash s v scan of the same machine. And we've got a lot more information under version. You can see
01:26
uh,
01:27
definitely that it's a Microsoft server.
01:30
Um, and it's running active directory. L doubt
01:34
you can see the name of the domain.
01:38
And also you can see the UDP service is running NTP version three and Windows Net bios on, and then it provides the workgroup two.
01:48
So that's great information if you're doing
01:51
an inventory or if you're doing preparing for a penetration test.
01:57
All right, so
02:00
that was, um, one type of service inversion detection scan. Now, if we want, I wanted to cover a couple of the additional command lines, which is that we can add to that so we'll do the same scan.
02:15
But what will do this time is, well,
02:20
adjust the version intensity,
02:28
and then we'll compare the time that it takes and
02:31
talk a little bit about the information that it provides.
02:35
As I mentioned before, I mentioned in the lesson
02:38
the default version intensity for ah version detection scan is a seven on That's the scale from one toe nine.
02:49
So theoretically, this should be faster,
02:52
but in some cases it might
02:53
provide a little bit less information, so that took 17.8 seconds
02:59
provides pretty much all the same information. In fact, I've checked it before, and it is exactly the same information in this servers case.
03:07
So it was about a second faster
03:09
by adjusting the version intensity down to a five from a seven.
03:15
All right, so and then I'm gonna cover one other command.
03:19
And that is
03:22
just shorthand
03:24
for switching the version detection down even further.
03:30
That's version light.
03:30
And then we'll compare the time that this scan takes and the results.
03:49
Okay, so that one took 14.8 seconds, and it actually shows the exact same information. So these are common
03:57
ports, and service is so in map has a lot easier time matching him up against their database.
04:03
And you can also see here the C P. E.
04:08
From the CPD database and operating system is Microsoft Windows gives you the host name
04:15
and
04:16
Mac address and everything else, just like other scans have.
04:20
All right, so now I want No, we've gone through a couple of those commands and I've showed you how targeted scans are much better than a standard service inversion detection scan.
04:32
I want to compare some simple banner grabbing techniques to and maps application and service version detection.
04:39
So one
04:42
common and, um, very basic but very available type of banner grabbing that people do
04:49
is telling that command. So you can obviously tell that ports other than just telling that port.
04:57
Um,
04:58
and then look at the results. So will tell that
05:00
two
05:02
ah server that sits in my d m z on my network. And that is just one that I already know. I'm not going to run you through
05:11
a pink sweep or anything like that.
05:16
I know this one is running a mail server.
05:21
All right, so
05:24
there you go. That's basically the results. Uh,
05:29
quit
05:30
in some mail servers, You're gonna have a lot more information. If you tell that Thio Port 25 or 5 87 or whatever port A some TP is running on,
05:42
you'll have a lot more information than that. In this case, my mail server doesn't provide information in the banner.
05:48
So when you when you connect to it, there's not gonna be a lot of information. And so that type of banner grabbing technique doesn't really do you any good. Um,
05:59
you could do ah telling that against
06:03
G e mails, SMTP Server
06:12
and Gmail actually provides a little bit more information. You know that its g g mail SMTP server. And so if you know how to attack that or or whatever, at least that's a little bit more information than my mail server. But
06:27
neither one of them really provides you with a lot of details about that mail server.
06:30
And so
06:32
what I wanted to do was just compare,
06:34
you know, old school banner grabbing, too.
06:40
What and Map could do. So
06:43
we'll do a an end map
06:46
since can
06:50
make it fast.
06:53
And it's UDP scan of that same server that sits in my DMC.
07:08
Okay, and so now you're seeing a lot more service, is there? Well, I didn't really do a scan before, so you see all the service is available. There are no UDP port open on that on that machine,
07:19
so I'll go and do a more targeted scan against it so we can see if we can get version information, especially on that mail server.
07:31
Then we'll compare that against the old school. Tell that approach
07:39
scroll up.
07:49
I could just do it against Port 25 but I wanted to show you a little bit more of the power of and map
08:05
grabbing a whole bunch of those ports,
08:16
and you'll notice here to that.
08:18
I'm not doing the UDP scan because that adds to the time and also
08:24
there were no UDP port open.
08:26
So
08:28
if you're just doing a sin, scan a dash p
08:33
followed by a space and then the TCP ports is all that you need to put. You don't need to put a tea or you there.
08:46
Okay, there you have it. Um, so the mail server that is in my *** Z
08:52
is an H mail server. So that's really good information. You can look up H mail server and see if you can find
09:00
potential weaknesses in it.
09:03
Um, and
09:05
work harder, Thio Penetrate it if if or exploited. If that's what you're trying to D'oh! Uh, also you can see,
09:13
um,
09:13
SMTP is also run on 4 65 with h e mail server and you can see that I'm running a file Zillah FTP server.
09:22
And
09:22
also it's a Microsoft Web server. So
09:28
that's all really good information. I hope that you ah, you agree?
09:33
And I hope it all makes sense. And I really appreciate you going through this lab with me and I'll see in the next one.
09:39
This lesson was all about service and application version detection using in map.
09:45
First we talked about what service an application version detection is
09:48
second. We discussed why it is both relevant and important.
09:52
Third, we talked about when and how to use it, including the most important command line option, and you need to know.
09:58
Then I provided a couple other command line options that are available,
10:03
and we finished up this lesson with a lab that demonstrated all of the concepts and commands discussed in this lesson.
10:09
Thanks so much for walking through this lesson, and I'll talk to you again in the next one.

Up Next

NMAP

The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.

Instructed By

Instructor Profile Image
Rob Thurston
CIO at Integrated Machinery Solutions
Instructor