6 hours 31 minutes
and we'll do. And
a more targeted and sophisticated application service version detection scan will do and map Dash s s since Can Dash s Capitol you for UDP scan
and we'll do port Will do TCP ports.
And for 43. Then you dp ports 1 23 and one
And we'll make it a version detection scan
of 1 92 That 1 68 that 1.10.
we'll compare the differences in the in the amount of time it takes to run the scan versus the previous simple scan.
Okay, so there's the results. So we scanned more stuff or more critical stuff in 18.71 seconds compared to the 142 seconds it took to do the simple dash s v scan of the same machine. And we've got a lot more information under version. You can see
definitely that it's a Microsoft server.
Um, and it's running active directory. L doubt
you can see the name of the domain.
And also you can see the UDP service is running NTP version three and Windows Net bios on, and then it provides the workgroup two.
So that's great information if you're doing
an inventory or if you're doing preparing for a penetration test.
All right, so
that was, um, one type of service inversion detection scan. Now, if we want, I wanted to cover a couple of the additional command lines, which is that we can add to that so we'll do the same scan.
But what will do this time is, well,
adjust the version intensity,
and then we'll compare the time that it takes and
talk a little bit about the information that it provides.
As I mentioned before, I mentioned in the lesson
the default version intensity for ah version detection scan is a seven on That's the scale from one toe nine.
So theoretically, this should be faster,
but in some cases it might
provide a little bit less information, so that took 17.8 seconds
provides pretty much all the same information. In fact, I've checked it before, and it is exactly the same information in this servers case.
So it was about a second faster
by adjusting the version intensity down to a five from a seven.
All right, so and then I'm gonna cover one other command.
And that is
for switching the version detection down even further.
That's version light.
And then we'll compare the time that this scan takes and the results.
Okay, so that one took 14.8 seconds, and it actually shows the exact same information. So these are common
ports, and service is so in map has a lot easier time matching him up against their database.
And you can also see here the C P. E.
From the CPD database and operating system is Microsoft Windows gives you the host name
Mac address and everything else, just like other scans have.
All right, so now I want No, we've gone through a couple of those commands and I've showed you how targeted scans are much better than a standard service inversion detection scan.
I want to compare some simple banner grabbing techniques to and maps application and service version detection.
common and, um, very basic but very available type of banner grabbing that people do
is telling that command. So you can obviously tell that ports other than just telling that port.
and then look at the results. So will tell that
ah server that sits in my d m z on my network. And that is just one that I already know. I'm not going to run you through
a pink sweep or anything like that.
I know this one is running a mail server.
All right, so
there you go. That's basically the results. Uh,
in some mail servers, You're gonna have a lot more information. If you tell that Thio Port 25 or 5 87 or whatever port A some TP is running on,
you'll have a lot more information than that. In this case, my mail server doesn't provide information in the banner.
So when you when you connect to it, there's not gonna be a lot of information. And so that type of banner grabbing technique doesn't really do you any good. Um,
you could do ah telling that against
G e mails, SMTP Server
and Gmail actually provides a little bit more information. You know that its g g mail SMTP server. And so if you know how to attack that or or whatever, at least that's a little bit more information than my mail server. But
neither one of them really provides you with a lot of details about that mail server.
what I wanted to do was just compare,
you know, old school banner grabbing, too.
What and Map could do. So
we'll do a an end map
make it fast.
And it's UDP scan of that same server that sits in my DMC.
Okay, and so now you're seeing a lot more service, is there? Well, I didn't really do a scan before, so you see all the service is available. There are no UDP port open on that on that machine,
so I'll go and do a more targeted scan against it so we can see if we can get version information, especially on that mail server.
Then we'll compare that against the old school. Tell that approach
I could just do it against Port 25 but I wanted to show you a little bit more of the power of and map
grabbing a whole bunch of those ports,
and you'll notice here to that.
I'm not doing the UDP scan because that adds to the time and also
there were no UDP port open.
if you're just doing a sin, scan a dash p
followed by a space and then the TCP ports is all that you need to put. You don't need to put a tea or you there.
Okay, there you have it. Um, so the mail server that is in my *** Z
is an H mail server. So that's really good information. You can look up H mail server and see if you can find
potential weaknesses in it.
work harder, Thio Penetrate it if if or exploited. If that's what you're trying to D'oh! Uh, also you can see,
SMTP is also run on 4 65 with h e mail server and you can see that I'm running a file Zillah FTP server.
also it's a Microsoft Web server. So
that's all really good information. I hope that you ah, you agree?
And I hope it all makes sense. And I really appreciate you going through this lab with me and I'll see in the next one.
This lesson was all about service and application version detection using in map.
First we talked about what service an application version detection is
second. We discussed why it is both relevant and important.
Third, we talked about when and how to use it, including the most important command line option, and you need to know.
Then I provided a couple other command line options that are available,
and we finished up this lesson with a lab that demonstrated all of the concepts and commands discussed in this lesson.
Thanks so much for walking through this lesson, and I'll talk to you again in the next one.
The network mapper (NMAP) is one of the highest quality and powerful free network utilities in the cybersecurity professional's arsenal.