WEBVTT 00:00.760 --> 00:05.350 Hello, my name is Stephan, and in this lecture we will explore the fascinating world of a network 00:05.350 --> 00:06.310 reconnaissance. 00:06.640 --> 00:07.390 So. 00:08.550 --> 00:15.000 Nmap is renewed for its extensive range of host and port discovery techniques, allowing penetration 00:15.000 --> 00:21.000 testers and system administrators to gather critical information about their networks. 00:21.000 --> 00:27.240 By utilizing these techniques, we can effectively scan hosts even in the most restricted environments. 00:27.240 --> 00:33.600 So let's explore some of the key techniques employed by Nmap for host discovery. 00:35.060 --> 00:37.460 We can also trace routes with map. 00:37.460 --> 00:39.950 So tracing routes with Nmap. 00:41.250 --> 00:47.880 From the scanning machine to the target host can provide valuable insight into the network topology. 00:47.910 --> 00:52.680 Nmap enables us to include trace route information during our scans. 00:52.680 --> 00:57.750 So for example, now we will enter the Nmap as an nmap. 00:59.390 --> 01:02.900 As and we will add a trace route option. 01:04.830 --> 01:11.430 So by using this option, we can trace the path taken by packets from our machine to the target host. 01:11.640 --> 01:13.260 Let's do this example here. 01:13.260 --> 01:18.040 So nmap traceroute and here we will enter our some website. 01:18.060 --> 01:21.090 In this case it's going to be, for example, code sally. 01:21.240 --> 01:23.460 This is our application which we. 01:24.320 --> 01:29.990 Our website which we installed for penetration testing in in this course here. 01:29.990 --> 01:37.460 And as you can see here, traceroute has to run as root and we will use this sudo here and after that 01:37.460 --> 01:41.090 and as you can see here, here we this is our traceroute. 01:41.090 --> 01:47.660 So this command initiates a ping scan with a traceroute enabled for both the. 01:49.140 --> 01:51.630 Constantly on our host machine. 01:51.630 --> 01:56.460 So we can also add another here, for example, Google.com and here. 01:56.460 --> 01:56.970 That's it. 01:56.970 --> 01:57.660 So. 01:58.500 --> 02:05.970 We are allowing us to visualize the network path and identify potential bottlenecks or routing areas 02:05.970 --> 02:06.210 here. 02:06.210 --> 02:09.360 As you can see, we don't have any usually on rooting here. 02:09.360 --> 02:19.860 So Segment three Leveraging NSA scripts during host discovery and Maps scripting capabilities through 02:19.860 --> 02:21.390 the Nmap scripting engine. 02:21.390 --> 02:28.890 NSA here provide a powerful way to gather additional information about a target during the host discovery 02:28.890 --> 02:29.370 phase. 02:29.370 --> 02:37.140 By executing the Nmap scripting engine scripts, we can extract valuable insights about a target service's 02:37.140 --> 02:45.930 vulnerabilities or even perform specific tasks to execute Nmap scripting engine script without conducting 02:45.930 --> 02:52.860 a port scanning, we can use the as an option to skip port scanning and specify the desired script using 02:52.860 --> 02:54.870 the script option. 02:54.870 --> 03:03.730 So here what we're going to do is an Nmap script here and we will use the DNS root DNS root as a Nmap 03:03.730 --> 03:04.870 scripting engine. 03:04.870 --> 03:11.620 So DNS root here and after that we will enter our target domain or IP address. 03:11.620 --> 03:16.720 So in this case it's going to be console here, dot com and here. 03:19.640 --> 03:22.010 We will pay the execution here. 03:30.170 --> 03:33.350 Let's actually run with the pseudo privileges. 03:44.540 --> 03:48.680 And here, as you can see here, we got no target specified. 03:48.680 --> 03:51.530 And so zero host scanned. 03:55.610 --> 04:00.710 And here, if you are getting this error, you can also use the alternative script for this here. 04:00.710 --> 04:09.370 So instead of writing DNS root here, you can also write the DNS insecure and enum and after that you 04:09.380 --> 04:12.590 enter the your domain or IP address. 04:12.590 --> 04:22.310 So here this is an alternative and this script performs a DNS enumeration by querying for Dnssec records, 04:22.310 --> 04:25.520 which can provide valuable information about the domain. 04:25.520 --> 04:27.560 And here now, we will get. 04:28.400 --> 04:29.480 An output here. 04:42.030 --> 04:49.670 And also keep in mind that the success of this command depends on the availability of this DNS insect 04:49.710 --> 04:56.340 enum script on your network configuration, and you may need to install additional Nmap scripting engine 04:56.340 --> 05:02.130 scripts or adjust the command according to your specific environment. 05:02.220 --> 05:04.950 So if you need any. 05:06.040 --> 05:12.820 Assistance If you or if you encounter any errors, feel free to ask me on the. 05:14.160 --> 05:15.900 Question sections of our course. 05:15.900 --> 05:18.930 And as you can see here, we got a lot of information here. 05:18.930 --> 05:21.570 We got ports and this here. 05:21.660 --> 05:30.180 So here in this command, we are executing this DNS Dnssec script during host Discovery, which attempts 05:30.180 --> 05:34.530 to brute force DNS records for the cozily.com domain. 05:34.530 --> 05:42.840 This can reveal hidden subdomains, but also provide valuable information here and as you can see, 05:42.870 --> 05:44.700 open ports and so on. 05:44.700 --> 05:48.600 So we can also use the SDN here before the script here. 05:48.600 --> 05:51.720 And let's see how the port will change. 05:51.720 --> 05:56.280 And as you can see here, this is now we are not scanning port signs. 05:56.280 --> 06:04.230 This parameter will not scan port here and here We are sending this host record server here. 06:04.230 --> 06:07.890 And as you can see here, our hosting for this domain. 06:08.990 --> 06:14.000 Contains this domain address here and which is this is the IP address of this. 06:17.110 --> 06:24.400 And one interesting Nmap scripting engine script available in Nmap is broadcast ping script, which 06:24.400 --> 06:31.750 utilizes a broadcast ping request to identify online hosts within a network by broadcasting a ping message. 06:31.780 --> 06:39.370 Nmap can detect hosts that respond even if they have a restrictive firewall rules. 06:39.370 --> 06:46.270 And to use this script, we specify it with this script option as we did earlier, along with the desired 06:46.300 --> 06:47.710 target range. 06:47.710 --> 06:51.550 So we will do Nmap as n here script again. 06:52.840 --> 06:55.150 With two year script. 06:56.860 --> 07:03.680 And after that we will enter the broadcast pink and 192168. 07:04.570 --> 07:06.670 Let's actually see our. 07:09.120 --> 07:10.260 Ifconfig IP. 07:10.350 --> 07:15.630 Local IP address 13 138 13 one here. 07:15.630 --> 07:19.260 And after that we will enter the 24 and here. 07:22.560 --> 07:23.140 And map. 07:23.490 --> 07:28.950 And so we need to actually oops, we had the error with this typo here. 07:30.020 --> 07:32.780 Broadcast and that's it. 07:33.880 --> 07:36.460 And as you can see, it's not running for lack of privileges. 07:36.460 --> 07:43.150 So we need to run it with sudo here, root privileges here and now you will see an output. 07:45.930 --> 07:46.860 And here. 07:46.860 --> 07:54.360 So with this command, we are scanning the local network with the IP range of this one slash 24, which 07:54.750 --> 08:05.520 we will scan this IP address from 0 to 256 here using this broadcast ping and here, this can be particularly 08:05.520 --> 08:12.040 useful in scenarios where your host might not respond to a traditional ping requests here. 08:12.060 --> 08:18.480 So in conclusion, Nmap discovery capabilities provide a powerful arsenal for network reconnaissance 08:18.480 --> 08:26.640 by understanding the leveraging techniques such as traceroute, NSA, Nmap, scripting, engine scripting 08:26.820 --> 08:33.930 and specialized scripts like broadcast ping, we can gain comprehensive insights into network environments, 08:33.930 --> 08:38.280 identify active hosts and uncover potential vulnerabilities. 08:38.280 --> 08:45.870 So equip yourself with the knowledge of Nmap host discovery features and embark on your network recon 08:45.970 --> 08:48.070 science journey with confidence.