1
00:00:00,420 --> 00:00:09,150
It is time we discuss different types that we can do with a map now and MAP is a huge tool and it offers

2
00:00:09,150 --> 00:00:14,790
many different types of scans that we can perform and we'll be covering just some since there are a

3
00:00:14,790 --> 00:00:15,280
lot of them.

4
00:00:15,960 --> 00:00:22,260
However, at the end of this video, I will give you a really good tip as to how you can really master

5
00:00:22,260 --> 00:00:28,940
the map to talking about different scans doesn't necessarily mean that we will get different results.

6
00:00:29,790 --> 00:00:34,320
Matter of fact, many of these different scans will give us the same result.

7
00:00:35,160 --> 00:00:41,130
And in this video, I'm going to explain exactly what the differences are between certain scans.

8
00:00:41,640 --> 00:00:46,580
To fully understand this, you will need a background knowledge on TCP and UDP.

9
00:00:47,010 --> 00:00:53,160
So in case you didn't watch the short video I made on TCP and UDP, make sure to watch it before covering

10
00:00:53,160 --> 00:00:53,490
this.

11
00:00:54,720 --> 00:01:01,560
Let's start with the first type of scan, and that scan is called DCB since Ken let me open the terminal.

12
00:01:03,280 --> 00:01:06,930
The comment that we must run is a mad dash S.

13
00:01:07,000 --> 00:01:12,310
S, and then we are going to be scanning matters political in this video, since that is the machine

14
00:01:12,310 --> 00:01:13,120
that we are attacking.

15
00:01:13,130 --> 00:01:20,740
So the IP address of at this point is when I do that one eight, that one that six, and this dash,

16
00:01:20,740 --> 00:01:29,290
as is DCP since can since Ken is probably the most popular scan in Unmap, it can be performed quickly,

17
00:01:29,710 --> 00:01:34,060
scanning thousands of ports per second on networks that aren't protected by a firewall.

18
00:01:34,570 --> 00:01:40,380
And the reason why it is called a scan is because it never really opens up for the connection.

19
00:01:40,840 --> 00:01:45,280
You only perform the first step of a three way handshake, which is sending sin.

20
00:01:45,880 --> 00:01:53,680
And the way it works is if the target sends Sinak back for a certain port that indicates that that port

21
00:01:53,680 --> 00:01:55,540
is listening or it is open.

22
00:01:56,110 --> 00:02:01,930
Target can also send something called Oreste, which stands for Reset, which would indicate that the

23
00:02:01,930 --> 00:02:06,250
port is closed in case it doesn't give any response back.

24
00:02:06,250 --> 00:02:13,390
After several tries, ports will be marked as filtered and filtered is just another state of ports that

25
00:02:13,390 --> 00:02:17,740
happens once, and Map cannot determine whether a certain port is open or closed.

26
00:02:18,280 --> 00:02:23,380
The filter state could happen if port is, for example, protected by some filtering or a firewall.

27
00:02:23,770 --> 00:02:29,110
And now that we know exactly how this works, let's test it out on our anticipatable.

28
00:02:29,650 --> 00:02:31,540
There is one thing with this command.

29
00:02:31,570 --> 00:02:34,290
If we try to run it, it will not work.

30
00:02:34,300 --> 00:02:38,740
It will tell me you requested the scan type, which requires route privileges.

31
00:02:38,950 --> 00:02:45,850
And the reason this requires route privileges is because we're only sending one part of three way handshake

32
00:02:45,850 --> 00:02:51,760
and telling our machine that we do not want to respond to a signal puts it in case it is sent back from

33
00:02:51,760 --> 00:02:54,460
the target that requires route privileges.

34
00:02:54,460 --> 00:03:02,050
So we must run this with pseudo, pseudo and map tests and then let us type in our password.

35
00:03:03,430 --> 00:03:11,050
And we will notice it gives us the results of ports that are open very fast and it is also very important

36
00:03:11,050 --> 00:03:14,470
and satisfying once we know how certain skin type works.

37
00:03:14,960 --> 00:03:21,580
Once again, it sends only the scene and waits for a Sinak or Oreste, and it never establishes a faulty

38
00:03:21,850 --> 00:03:22,340
connection.

39
00:03:23,410 --> 00:03:30,970
Let us check out the result, so we got these ports open and we also got what service is running on

40
00:03:30,970 --> 00:03:31,850
those open ports.

41
00:03:32,890 --> 00:03:37,560
Now, here is the time that it took and we're going to compare this with different scans.

42
00:03:38,320 --> 00:03:42,640
And the reason it finished this fast is once again, it doesn't establish a connection.

43
00:03:44,410 --> 00:03:50,710
Compared to this, since can that we just performed, we also got something called DCPI Connect Skin

44
00:03:51,070 --> 00:03:53,490
or also labeled as Dash STI.

45
00:03:54,100 --> 00:04:00,670
So in order to run this, we can just change this comment from South to dash Estie and you will see

46
00:04:00,670 --> 00:04:04,000
all of these options if you run the help menu of EMAP.

47
00:04:04,820 --> 00:04:11,000
What's interesting about this is that it does not require pseudo privileges, and the reason it does

48
00:04:11,000 --> 00:04:15,260
not require is because it performs unnormal Tsipi three way handshake connection.

49
00:04:15,740 --> 00:04:21,510
So the only difference between this and previous scan is that this connection establishes a connection.

50
00:04:22,070 --> 00:04:27,230
The important part here that you should remember is that this scan will leave much more trace that you

51
00:04:27,230 --> 00:04:31,830
performed an MRI scan on the target machine and it is easily detected.

52
00:04:32,570 --> 00:04:38,600
That's why once you can run and my best route, usually since scan will be a better option than the

53
00:04:38,780 --> 00:04:39,990
typical CT scan.

54
00:04:40,250 --> 00:04:45,920
Nonetheless, let's test this one out so we can remove pseudo as it does not require road privileges.

55
00:04:47,000 --> 00:04:50,480
And you will see it also finishes relatively fast.

56
00:04:50,940 --> 00:04:57,410
The output will be exactly the same as with this since can, but sometimes it could take a little bit

57
00:04:57,410 --> 00:05:01,460
longer than the scans since it is performing a full Tsipi connection.

58
00:05:02,530 --> 00:05:07,900
And even though we got the exact same result, which are just the open ports and the services that they

59
00:05:07,900 --> 00:05:11,040
run, now, we know how both of these can work.

60
00:05:11,050 --> 00:05:15,640
And now you know that, for example, this can is much more detectable than the thin skin.

61
00:05:16,330 --> 00:05:22,290
Or you can say that it just makes more noise on target machine the less skin that we're going to cover.

62
00:05:22,390 --> 00:05:24,820
And keep in mind, these are just some of the scans.

63
00:05:24,820 --> 00:05:28,990
And I will show you where you can find the rest of them and possibly test them out if you want to.

64
00:05:29,710 --> 00:05:33,010
But the next scan that I'm going to cover is pretty and popular.

65
00:05:33,250 --> 00:05:38,350
And that is the dash as you scan or also known as UDP scan.

66
00:05:39,340 --> 00:05:45,430
The reason why it's unpopular is because many services on the Internet run over TCP IP protocol, as

67
00:05:45,430 --> 00:05:52,390
we already know, since EUTERPE scanning is much slower than TCP scanning and more difficult sometimes

68
00:05:52,390 --> 00:05:57,330
when people are developing security for their ports, they ignore the UDP ports.

69
00:05:57,910 --> 00:06:04,180
And this results in a mistake as there are a lot of exploitable UDP services and we should never ignore

70
00:06:04,180 --> 00:06:06,140
this again just because it takes time.

71
00:06:07,030 --> 00:06:07,980
Let us test it out.

72
00:06:08,620 --> 00:06:15,590
This also will require Suda privileges so that this type Suda and Map Besch as you for the other piece

73
00:06:15,610 --> 00:06:18,910
can and specify the IP address on exploitable.

74
00:06:20,570 --> 00:06:23,570
You will notice this scan will take time.

75
00:06:24,690 --> 00:06:30,330
You can check it how much percentage is currently at by pressing the upper arrow key, so if I press

76
00:06:30,340 --> 00:06:38,610
up down here, it will tell me it is currently at three percent and I'm just going to leave this running

77
00:06:38,610 --> 00:06:40,590
while I show you the cool tape for the.

78
00:06:41,990 --> 00:06:48,590
So remember this, the key to learning and map in great details is not in reading its health menu,

79
00:06:49,040 --> 00:06:50,780
but in reading its manual.

80
00:06:51,810 --> 00:06:57,360
And to open the manual, you can open your terminal and type manual and map.

81
00:06:58,390 --> 00:07:06,070
And let me do this in a second terminal, so I'll open it up type man, and then I met this man right

82
00:07:06,070 --> 00:07:09,400
here is shortened for manual press enter.

83
00:07:10,610 --> 00:07:18,680
In this file, it explains every option in great detail, let us find different skin types that also

84
00:07:18,680 --> 00:07:21,610
exist since we didn't really cover every one of them.

85
00:07:22,500 --> 00:07:25,370
Let's scroll all the way down to different and map skins.

86
00:07:27,330 --> 00:07:33,240
And as we're scrolling, you will see that we are passing the actual health menu, that we get outputted

87
00:07:33,240 --> 00:07:38,940
once we're on the dash, this help and below this health menu, it explains every option in great details.

88
00:07:40,030 --> 00:07:47,350
And some scrolling I came to this part which says, port scanning basics, and here are the six port

89
00:07:47,350 --> 00:07:51,280
states recognized by Unmap and this is good to read.

90
00:07:51,310 --> 00:07:54,200
So we got the open Port St. the closed Port St..

91
00:07:54,550 --> 00:08:02,200
We got filtered Port St. unfiltered Port St. open and filtered and closed and filtered.

92
00:08:02,680 --> 00:08:08,620
So if you want to read through this, it is really useful knowing once you get, for example, filtered

93
00:08:08,620 --> 00:08:10,750
ports to know exactly what that means.

94
00:08:11,380 --> 00:08:18,320
And if I go a little bit more down here, they are here with the different types that map has.

95
00:08:18,610 --> 00:08:26,550
So here is the TCP skin that we performed, which is that as here is the dash, which is full DCP connections

96
00:08:26,560 --> 00:08:26,850
can.

97
00:08:27,100 --> 00:08:34,900
And down here you will notice after the UDP scan that we got different options as to how we can perform

98
00:08:34,900 --> 00:08:35,470
our scan.

99
00:08:35,980 --> 00:08:42,310
And you can read about each and every one of them and see when are they useful and how you can specify

100
00:08:42,310 --> 00:08:42,490
them.

101
00:08:43,120 --> 00:08:44,850
Here is the Tsipi scan.

102
00:08:45,280 --> 00:08:49,620
Here's the TCP windows can and you will see there are a lot of them.

103
00:08:50,320 --> 00:08:54,640
There are also different options such as this can flex, which is custom skin.

104
00:08:54,910 --> 00:08:58,300
But this is an advance option and we might take a look at this later on.

105
00:08:59,410 --> 00:09:01,750
Here is Idle's can, Ekos can.

106
00:09:02,760 --> 00:09:05,310
Let's see all the way down, IP Protocol Schenn.

107
00:09:06,270 --> 00:09:08,690
ATP relay host FPP Bouncin.

108
00:09:09,820 --> 00:09:13,390
And that would pretty much be it for the Websense.

109
00:09:14,440 --> 00:09:20,380
So depending on your target and what you exactly want to get from the scan, you would pick one of them.

110
00:09:20,590 --> 00:09:24,750
So, for example, if you wanted to discover open ports, you would use the DP scan.

111
00:09:25,300 --> 00:09:31,540
Now, the X scan, I believe, which is the dash assay, which we saw a few seconds ago, is useful,

112
00:09:31,540 --> 00:09:35,490
I believe, to mapping out the fireball just through them.

113
00:09:35,530 --> 00:09:39,630
If you have time and you will discover how they work and when are they useful.

114
00:09:40,270 --> 00:09:43,530
So let's see how much percentage of your scan is it?

115
00:09:44,170 --> 00:09:46,330
So it is finished about a third of the scan.

116
00:09:46,660 --> 00:09:50,080
And we know that this will take at least 10 to 15 more minutes.

117
00:09:50,090 --> 00:09:51,550
So we are not going to wait this.

118
00:09:52,710 --> 00:09:59,430
And by the way, about the end manual, you need to read that entire file, just it is good to know

119
00:09:59,430 --> 00:10:00,400
that it exists.

120
00:10:00,750 --> 00:10:05,820
So sometimes when you forget something or you want to check out the fan map has some other option that

121
00:10:05,820 --> 00:10:06,180
you need.

122
00:10:06,660 --> 00:10:10,660
You can just open that manual and feed until you find what you need.

123
00:10:11,400 --> 00:10:17,040
Nobody expects you to know everything inside of that file, but after some time, you will start picking

124
00:10:17,040 --> 00:10:19,250
some of the comments up and memorizing them.

125
00:10:20,130 --> 00:10:20,420
Cool.

126
00:10:21,060 --> 00:10:22,680
We covered a lot in this video.

127
00:10:23,250 --> 00:10:26,310
The next two videos will be even more important.

128
00:10:26,700 --> 00:10:33,090
We're going to check how we can discover operating systems that our target machines run and what versions

129
00:10:33,090 --> 00:10:39,390
of services are they running on an open port, which is, remember, one of the most important things

130
00:10:39,390 --> 00:10:40,410
that we want to find.