WEBVTT 00:02.420 --> 00:07.460 So any map is the most powerful and preferred scanner for security professionals. 00:07.880 --> 00:14.300 The usage of map varies from the weeds to an advanced level, so we will analyze the value scan techniques 00:14.300 --> 00:14.900 in detail. 00:15.590 --> 00:20.930 So you run any map directly from MSF console, as you normally would from the command line. 00:21.200 --> 00:27.380 So however, if you want to import the results into the Metasploit database, you need to run the map 00:27.380 --> 00:34.340 scan using the All X flag, so followed by the desired file name to generate the same allowed output 00:34.340 --> 00:34.760 file. 00:35.240 --> 00:40.040 So and then use the DB input command to populate the Metasploit database. 00:40.430 --> 00:43.940 So have to do it starting anywhere from Metasploit. 00:43.970 --> 00:44.900 It is easy. 00:44.900 --> 00:49.790 So launch the MSF console here and then here. 00:51.110 --> 00:53.510 And so it may take some time here. 00:53.780 --> 00:59.330 So as you can see, some Metasploit Framework Council and here just, uh, right up here. 00:59.600 --> 01:05.750 So as you can see, if we can start anywhere from in Metasploit console. 01:06.710 --> 01:12.020 So um, this if you connect can is the most basic and defaults can type in anima. 01:12.020 --> 01:17.420 So it follows a three way handshake process to detect the open pulse and the target machine. 01:17.420 --> 01:22.370 So let's perform this scan, uh, on one of our targets. 01:22.370 --> 01:23.450 So let me let me know. 01:23.750 --> 01:24.470 Uh, here. 01:26.810 --> 01:27.910 The conflict. 01:30.280 --> 01:39.100 So now we will do a port scan here, so um, I looked at our target man machine. 01:39.370 --> 01:43.030 I look along prejudice, so any map and map? 01:43.990 --> 01:53.590 Is he and then your target API, others, so for example, in my case, is one hundred ninety one nine 01:53.590 --> 01:56.140 two one one nine two. 01:57.230 --> 01:57.530 One. 01:58.820 --> 01:59.810 Six eight. 02:01.260 --> 02:02.190 And then. 02:03.770 --> 02:11.570 One six, eight one eight, eight, one eight, eight and one three five one three four. 02:11.690 --> 02:18.220 So it can also scan the land addresses and to find to find the land comments. 02:18.230 --> 02:27.800 Or as Phil, I um, have I had the opportunity to look from my scan, my lunch, um, IP address and 02:27.800 --> 02:29.960 find this IP address from it. 02:29.960 --> 02:33.200 But I just, uh, for instance, I just looked at it. 02:33.200 --> 02:37.430 So and but the more examples will be, uh, on this picture. 02:37.430 --> 02:37.820 So. 02:38.930 --> 02:44.720 And press enter after what I think you're right, this, as you can see here, we have a several IP 02:44.720 --> 02:46.460 addresses open here. 02:46.460 --> 02:59.180 So and we have here on IPO, this IAC X11 show logging exists, making Microsoft as nebulous as this 02:59.180 --> 03:05.450 and how should it be as empty it as FTP and so much we have port here. 03:05.990 --> 03:11.270 So, um, actually now let's uh. 03:11.330 --> 03:14.150 So as you can see here, um, the. 03:15.120 --> 03:22.140 Scan is the most basic and default type scan and map, so as you can see, we passed the test parameter, 03:22.860 --> 03:25.950 which denotes that the we want to perform a typical next scan. 03:26.250 --> 03:32.400 So it is typical next scan is based on three Hanshin process, and the returns results of the scan are 03:32.400 --> 03:33.330 considered accurate. 03:33.510 --> 03:42.120 So then using an MMA fighter space-faring, the range in maps, scans, scans the most common 1000 points 03:42.780 --> 03:47.220 for each protocol, so this is seen as synchronization scan. 03:47.550 --> 03:48.210 So what? 03:48.270 --> 03:50.160 What synchronization scan is and have to do? 03:50.160 --> 03:53.180 It is not a study, but the S. 03:53.390 --> 03:54.270 S see it. 03:54.840 --> 03:58.590 So the synchronization scan is considered a stealth scanning technique. 03:59.310 --> 04:03.510 So as it never forms a complete connection between the target and the scanner. 04:03.930 --> 04:07.500 So hence, it is also called how open scanning. 04:07.710 --> 04:10.920 So let's analyze synik scan on Italian. 04:10.920 --> 04:13.080 So any map as is. 04:13.380 --> 04:18.580 And after this, they will specify the potential here and map as is. 04:20.330 --> 04:27.440 And they will come from port 22 to 22 to 5000, 5000 feet. 04:29.710 --> 04:31.990 So this needs root privileges here. 04:33.350 --> 04:39.530 The Soviet built sudo and enter your password, as you can see in the entries started. 04:40.520 --> 04:40.910 So. 04:42.790 --> 04:44.920 Is this perimeter here? 04:45.010 --> 04:46.210 Is this parameter here? 04:46.750 --> 04:47.470 Can you see it? 04:48.410 --> 04:49.250 Oops, I'm sorry. 04:51.350 --> 04:51.770 Here. 04:53.460 --> 04:53.730 Yes. 04:54.150 --> 04:54.510 So. 04:55.900 --> 05:03.490 Um, the SS perimeter here will instruct the map to perform a synchronization scan on the target machine. 05:04.240 --> 05:08.110 S So what this does is TCP is early in. 05:08.260 --> 05:12.850 So this means the synchronization come on, uh, Typekit machine. 05:13.510 --> 05:21.160 So the output of the is if you connect and, uh, sync scan here, as you can see here, maybe similar 05:21.670 --> 05:23.710 are similar in most of the cases. 05:24.310 --> 05:30.250 But the only difference lies in the fact that this synchronization scan are difficult to detect by firewalls 05:30.520 --> 05:33.130 and intrusion detection systems. 05:33.160 --> 05:39.820 It is, however, modern firewalls are capable enough to catch synchronization scans as well. 05:40.150 --> 05:49.420 So the parameter here, uh, p parameter here, uh uh, typical British, uh, shows, uh, the range 05:49.660 --> 05:51.940 of ports numbers that we want to scan. 05:52.000 --> 06:00.010 So using P 22, uh, from 22 uh to 5000 we used in this year. 06:00.190 --> 06:11.830 But uh, we can use, um, zero to sixty five thousand to smell, uh, over sixty five thousand five 06:11.830 --> 06:12.730 hundred thirty five. 06:13.150 --> 06:16.570 So this is for all portraits, uh, included here. 06:17.320 --> 06:17.770 So. 06:20.050 --> 06:30.250 The UDP skull, so the issue we will think about here is you saw the the big scan, is it scanning technique 06:30.250 --> 06:33.250 to identify the open UDP ports? 06:34.000 --> 06:34.450 So. 06:35.390 --> 06:36.770 Here, let me read it here. 06:37.800 --> 06:39.590 For UDP ports. 06:40.960 --> 06:44.890 So is you for is you deep thoughts? 06:46.710 --> 06:54.360 So the two identified the UDP or the reports on the Typekit, so is it Obuebite UDP packets are sent 06:54.360 --> 06:59.120 to the surrogate machine and the recipient of an icy and purported unreachable message box. 06:59.130 --> 07:05.610 To that, the port is closed or otherwise it is considered open, but it can be used like that. 07:05.610 --> 07:14.070 For example, as you just on target IP, others see it and then execute the program, actually execute 07:14.070 --> 07:14.670 the command. 07:15.120 --> 07:17.070 It's not mandatory to use sudo. 07:17.070 --> 07:20.010 I just mistake the user, but it's not a problem here. 07:21.610 --> 07:22.060 So. 07:23.310 --> 07:24.480 As you can see here. 07:25.570 --> 07:34.510 Um, and in this comment, we will check, um, we will check thousand ports with tested Peltier's thousand 07:34.510 --> 07:38.950 most popular, uh, protocols and protocol ports here, so. 07:40.730 --> 07:42.890 They are doing you can now. 08:12.180 --> 08:22.110 So how how these how these port scanning works here, so we have analyzed three different types of scarcity 08:22.250 --> 08:24.900 that can be very helpful during penetration testing. 08:25.410 --> 08:32.310 So any map provides the lots of different modes for scanning a target machine. 08:32.320 --> 08:38.910 So here we will focus on three scan types aim, namely do these typical next scan the synchronization 08:38.910 --> 08:42.870 stealth scan and the lastly you deep scan here. 08:43.710 --> 08:44.100 So. 08:46.130 --> 08:52.250 Uh, the different scan options of any map can also be combined in a single scan in order to perform 08:52.250 --> 08:55.220 a more advanced and sophisticated scan over the target. 08:56.120 --> 09:00.240 So let's move ahead and start the scanning process here. 09:00.260 --> 09:06.530 So during a penetration test, the scanning process can provide lots of useful results here, so signs 09:06.890 --> 09:13.580 the information collected here will form the basis of penetration testing, of course, so proper knowledge 09:13.580 --> 09:15.320 of scan types is highly recommended. 09:15.710 --> 09:20.440 So let's now take the deeper look into each of these plastic nukes. 09:20.870 --> 09:22.340 Uh, that we just learned. 09:22.350 --> 09:29.240 So the TCB Connect scan is the most basic scanning technique in which a full connection is established 09:29.240 --> 09:30.770 with the port on the test. 09:31.160 --> 09:34.940 It uses the operating systems network functions to establish connections. 09:35.420 --> 09:41.810 So the scanner since a synchronization packet here and then um. 09:43.270 --> 09:50.320 So it's kind of a sense, a signalisation package to the target machine, so uh, if the if the port 09:50.320 --> 09:53.860 is open, it'll turn to and acknowledge a secret here. 09:53.860 --> 09:55.570 Let me right here. 09:55.830 --> 09:56.680 Uh, not bad. 10:01.470 --> 10:02.670 Synchronization. 10:07.050 --> 10:08.760 I ask to limit. 10:13.710 --> 10:18.060 And I think I'm mistaken with grandmother here, but never mind, you understand. 10:18.960 --> 10:26.310 So this kind of an acknowledgement package back to the target showing this successful establishment 10:26.730 --> 10:27.480 of a coalition. 10:27.480 --> 10:30.150 So this is called the three way Hanshin process. 10:31.170 --> 10:34.670 The connection is terminated as soon as it is over. 10:34.680 --> 10:41.100 So the technique is has its benefits, but it's easily traceable by firewalls and intrusion detection 10:41.100 --> 10:41.670 systems. 10:42.030 --> 10:42.450 I. 10:42.510 --> 10:50.940 D. S. M. Synchronization scan is another type of TCP scan, but it never forms a complete connection 10:50.940 --> 10:51.720 with the target. 10:52.230 --> 10:54.960 It doesn't use the operating systems network functions. 10:55.530 --> 11:01.020 Instead, it generates a IP packets and pointers for responses. 11:01.590 --> 11:05.930 If the port is open, then the target will respond with an acknowledgement message. 11:05.940 --> 11:11.820 So this scanner then sends a reset connection or steam message and ends the connection. 11:12.240 --> 11:15.300 Hence, it is also called Have Open Scanning. 11:15.570 --> 11:21.570 So this is considered as a stealth scanning technique as it can avoid or raising a flag in some misconfigured 11:21.570 --> 11:25.710 firewalls and intrusion detection systems ideas. 11:26.400 --> 11:33.270 So UDP scanning is a collection list scanning, hence no notification is sent back to the scanner. 11:33.780 --> 11:36.780 Whether the packet has been received by the target or not. 11:37.200 --> 11:44.150 So if the port is closed, then and I see an airport unreachable message is sent back to the scanners. 11:44.490 --> 11:48.690 If no message is received, then the port is reported as open. 11:49.050 --> 11:56.340 So this method can return faster results as farmers can block the data packets and therefore no response 11:56.340 --> 11:57.390 message will be generated. 11:57.390 --> 12:00.090 And it's kind of a report to port as open. 12:00.750 --> 12:04.200 Uh, but in reality is not open just because the firewall.