1
00:00:00,600 --> 00:00:03,210
Instructor: It is time we discuss different scan types

2
00:00:03,210 --> 00:00:05,013
that we can do with Nmap.

3
00:00:05,939 --> 00:00:08,130
Now, Nmap is a huge tool

4
00:00:08,130 --> 00:00:10,083
and it offers many different types of scans

5
00:00:10,083 --> 00:00:11,640
that we can perform

6
00:00:11,640 --> 00:00:13,680
and we'll be covering just some

7
00:00:13,680 --> 00:00:15,990
since there are a lot of them.

8
00:00:15,990 --> 00:00:18,210
However, at the end of this video,

9
00:00:18,210 --> 00:00:20,100
I will give you a really good tip

10
00:00:20,100 --> 00:00:23,880
as to how you can really master the Nmap tool.

11
00:00:23,880 --> 00:00:26,940
Talking about different scans doesn't necessarily mean

12
00:00:26,940 --> 00:00:29,790
the tool will get different results.

13
00:00:29,790 --> 00:00:32,549
Matter of fact, many of these different scans

14
00:00:32,549 --> 00:00:35,220
will give us the same result.

15
00:00:35,220 --> 00:00:38,160
And in this video, I am going to explain exactly

16
00:00:38,160 --> 00:00:41,640
what the differences are between certain scans.

17
00:00:41,640 --> 00:00:43,080
To fully understand this,

18
00:00:43,080 --> 00:00:47,040
you will need a background knowledge on TCP and UDP.

19
00:00:47,040 --> 00:00:49,230
So, in case you didn't watch the short video

20
00:00:49,230 --> 00:00:51,060
I made on TCP and UDP,

21
00:00:51,060 --> 00:00:53,643
make sure to watch it before covering this.

22
00:00:54,750 --> 00:00:56,790
Let's start with first type of scan,

23
00:00:56,790 --> 00:01:00,360
and that scan is called TCP SYN scan.

24
00:01:00,360 --> 00:01:01,743
Let me open the terminal.

25
00:01:03,240 --> 00:01:08,070
The command that we must run is nmap -sS

26
00:01:08,070 --> 00:01:09,780
and then we're going to be scanning

27
00:01:09,780 --> 00:01:11,310
Metasploitable in this video

28
00:01:11,310 --> 00:01:13,080
since that is the machine that we are attacking,

29
00:01:13,080 --> 00:01:18,013
so the IP address of my Metasploitable is 192.168.1.6

30
00:01:19,530 --> 00:01:24,060
and this -sS is TCP SYN scan.

31
00:01:24,060 --> 00:01:27,870
SYN scan is probably the most popular scan in Nmap.

32
00:01:27,870 --> 00:01:29,700
It can be performed quickly,

33
00:01:29,700 --> 00:01:31,590
scanning thousands of ports per second

34
00:01:31,590 --> 00:01:34,620
or networks that aren't protected by a firewall.

35
00:01:34,620 --> 00:01:36,900
And the reason why it is called a SYN scan

36
00:01:36,900 --> 00:01:40,860
is because it never really opens a full TCP connection.

37
00:01:40,860 --> 00:01:43,860
You only perform the first step of three-way handshake

38
00:01:43,860 --> 00:01:45,960
which is sending SYN.

39
00:01:45,960 --> 00:01:47,160
And the way it works

40
00:01:47,160 --> 00:01:51,510
is if the target sends SYN-ACK back for a certain port

41
00:01:51,510 --> 00:01:56,130
that indicates that that port is listening or it is open.

42
00:01:56,130 --> 00:01:58,680
Target can also send something called RST

43
00:01:58,680 --> 00:02:00,690
which stands for reset,

44
00:02:00,690 --> 00:02:03,870
which would indicate that the port is closed.

45
00:02:03,870 --> 00:02:06,270
In case it doesn't give any response back

46
00:02:06,270 --> 00:02:07,800
after several tries,

47
00:02:07,800 --> 00:02:10,320
port will be marked as filtered.

48
00:02:10,320 --> 00:02:13,110
And filtered is just another state of ports

49
00:02:13,110 --> 00:02:15,570
that happens once Nmap cannot determine

50
00:02:15,570 --> 00:02:18,270
whether a certain port is open or closed.

51
00:02:18,270 --> 00:02:20,970
The filtered state could happen if port is, for example,

52
00:02:20,970 --> 00:02:23,850
protected by some filtering or a firewall.

53
00:02:23,850 --> 00:02:27,150
And now that we know exactly how TCP SYN scan works

54
00:02:27,150 --> 00:02:29,610
let's test it out on our Metasploitable.

55
00:02:29,610 --> 00:02:31,530
There is one thing with this command.

56
00:02:31,530 --> 00:02:34,320
If we try to run it, it will not work.

57
00:02:34,320 --> 00:02:36,720
It will tell me, "You requested a scan type

58
00:02:36,720 --> 00:02:39,030
which requires root privileges."

59
00:02:39,030 --> 00:02:41,580
And the reason this requires root privileges

60
00:02:41,580 --> 00:02:44,520
is because we are only sending one part

61
00:02:44,520 --> 00:02:45,900
of three-way handshake

62
00:02:45,900 --> 00:02:49,170
and telling our machine that we do not want to respond

63
00:02:49,170 --> 00:02:50,370
to a SYN-ACK bit set

64
00:02:50,370 --> 00:02:52,680
in case it is sent back from the target

65
00:02:52,680 --> 00:02:54,480
that requires root privileges.

66
00:02:54,480 --> 00:02:56,820
So we must run this with sudo,

67
00:02:56,820 --> 00:03:01,820
sudo nmap -sS and then let's type in our password.

68
00:03:03,480 --> 00:03:05,700
And we will notice it gives us the results

69
00:03:05,700 --> 00:03:09,300
of ports that are open very fast.

70
00:03:09,300 --> 00:03:12,120
And it is also very important and satisfying

71
00:03:12,120 --> 00:03:14,970
once we know how a certain scan type works.

72
00:03:14,970 --> 00:03:17,070
Once again, it sends only the SYN

73
00:03:17,070 --> 00:03:19,500
and waits for a SYN-ACK or RST

74
00:03:19,500 --> 00:03:22,473
and it never establishes a full TCP connection.

75
00:03:23,430 --> 00:03:25,620
Let us check out the result.

76
00:03:25,620 --> 00:03:28,320
So we got these ports open

77
00:03:28,320 --> 00:03:32,013
and we also got what service is running on those open ports.

78
00:03:32,880 --> 00:03:35,010
Now, here's the time that it took

79
00:03:35,010 --> 00:03:38,370
and we are going to compare this with different scans.

80
00:03:38,370 --> 00:03:41,010
And the reason it finished this fast is, once again,

81
00:03:41,010 --> 00:03:42,753
it doesn't establish a connection.

82
00:03:44,430 --> 00:03:47,730
Compared to this SYN scan that we just performed,

83
00:03:47,730 --> 00:03:51,060
we also got something called TCP connect scan

84
00:03:51,060 --> 00:03:52,683
or also labeled as -sT.

85
00:03:54,120 --> 00:03:55,410
So in order to run this,

86
00:03:55,410 --> 00:03:58,623
we can just change this command from -sS to -sT.

87
00:03:59,730 --> 00:04:01,590
And you will see all of these options

88
00:04:01,590 --> 00:04:04,830
if you run the Help menu of Nmap.

89
00:04:04,830 --> 00:04:06,510
What's interesting about this

90
00:04:06,510 --> 00:04:10,080
is that it does not require sudo privileges,

91
00:04:10,080 --> 00:04:12,930
and the reason it does not require is because it performs

92
00:04:12,930 --> 00:04:15,720
a normal TCP three-way handshake connection.

93
00:04:15,720 --> 00:04:18,120
So the only difference between this and previous scan

94
00:04:18,120 --> 00:04:21,990
is that TCP connect scan establishes a full connection.

95
00:04:21,990 --> 00:04:24,090
The important part here that you should remember

96
00:04:24,090 --> 00:04:26,880
is that this scan will leave much more trace

97
00:04:26,880 --> 00:04:30,240
that you performed an Nmap scan on the target machine

98
00:04:30,240 --> 00:04:32,580
and it is easily detected.

99
00:04:32,580 --> 00:04:35,160
That's why once you can run Nmap as root,

100
00:04:35,160 --> 00:04:38,190
usually SYN scan will be a better option

101
00:04:38,190 --> 00:04:40,290
than the TCP connect scan.

102
00:04:40,290 --> 00:04:43,950
Nonetheless, let's test this one out so we can remove sudo,

103
00:04:43,950 --> 00:04:46,083
as it does not require root privileges,

104
00:04:47,070 --> 00:04:50,970
and you will see it also finishes relatively fast.

105
00:04:50,970 --> 00:04:55,080
The output will be exactly the same as with the SYN scan,

106
00:04:55,080 --> 00:04:57,990
but sometimes it could take a little bit longer

107
00:04:57,990 --> 00:04:58,890
than the SYN scans

108
00:04:58,890 --> 00:05:01,623
since it is performing a full TCP connection.

109
00:05:02,580 --> 00:05:05,430
And even though we got the exact same result,

110
00:05:05,430 --> 00:05:06,990
which are just the open ports

111
00:05:06,990 --> 00:05:08,700
and the services that they run,

112
00:05:08,700 --> 00:05:11,100
now we know how both of these scans work.

113
00:05:11,100 --> 00:05:12,630
And now you know that, for example,

114
00:05:12,630 --> 00:05:16,350
this scan is much more detectable than the SYN scan,

115
00:05:16,350 --> 00:05:18,750
or you can say that it just makes more noise

116
00:05:18,750 --> 00:05:20,370
on target machine.

117
00:05:20,370 --> 00:05:22,380
The last scan that we're going to cover

118
00:05:22,380 --> 00:05:24,780
and, keep in mind, these are just some of the scans

119
00:05:24,780 --> 00:05:26,130
and I will show you where you can find

120
00:05:26,130 --> 00:05:29,760
the rest of them and possibly test them out, if you want to,

121
00:05:29,760 --> 00:05:31,860
but the next scan that I'm going to cover

122
00:05:31,860 --> 00:05:33,330
is pretty unpopular

123
00:05:33,330 --> 00:05:38,330
and that is the -sU scan or also known as UDP scan.

124
00:05:39,360 --> 00:05:41,220
The reason why it's unpopular

125
00:05:41,220 --> 00:05:43,530
is because many services on the Internet

126
00:05:43,530 --> 00:05:46,500
run over TCP protocol, as we already know.

127
00:05:46,500 --> 00:05:48,360
Since UDP scanning is much slower

128
00:05:48,360 --> 00:05:51,750
than TCP scanning and more difficult,

129
00:05:51,750 --> 00:05:54,120
sometimes, when people are developing security

130
00:05:54,120 --> 00:05:57,960
for their ports, they ignore the UDP ports.

131
00:05:57,960 --> 00:05:59,880
And this results in a mistake

132
00:05:59,880 --> 00:06:02,640
as there are a lot of exploitable UDP services

133
00:06:02,640 --> 00:06:04,680
and we should never ignore this scan

134
00:06:04,680 --> 00:06:07,020
just because it takes time.

135
00:06:07,020 --> 00:06:08,640
Let us test it out.

136
00:06:08,640 --> 00:06:11,430
This also will require sudo privileges,

137
00:06:11,430 --> 00:06:16,380
so let us type sudo nmap -sU for the UDP scan

138
00:06:16,380 --> 00:06:19,523
and specify the IP address of Metasploitable.

139
00:06:20,550 --> 00:06:23,703
You will notice this scan will take time.

140
00:06:24,720 --> 00:06:27,420
You can check at how much percent it is currently at

141
00:06:27,420 --> 00:06:29,670
by pressing the upper arrow key.

142
00:06:29,670 --> 00:06:31,650
So if I press upper arrow key,

143
00:06:31,650 --> 00:06:36,000
down here it'll tell me it is currently at 3%.

144
00:06:36,000 --> 00:06:38,610
And I'm just going to leave this running

145
00:06:38,610 --> 00:06:40,983
while I show you the cool tip for the Nmap.

146
00:06:42,000 --> 00:06:46,680
So remember this, the key to learning Nmap in great details

147
00:06:46,680 --> 00:06:49,080
is not in reading its Help menu

148
00:06:49,080 --> 00:06:50,913
but in reading its manual.

149
00:06:51,870 --> 00:06:55,530
And to open the Nmap manual, you can open your terminal

150
00:06:55,530 --> 00:06:57,483
and type manual nmap.

151
00:06:58,470 --> 00:07:01,050
And let me do this in a second terminal.

152
00:07:01,050 --> 00:07:05,100
So I will open it up. Type man and then nmap.

153
00:07:05,100 --> 00:07:08,700
This man right here is shortened for manual.

154
00:07:08,700 --> 00:07:09,603
Press Enter.

155
00:07:10,650 --> 00:07:15,650
In this file it explains every Nmap option in great detail.

156
00:07:16,170 --> 00:07:19,290
Let us find different scan types that also exist

157
00:07:19,290 --> 00:07:22,500
since we didn't really cover every one of them.

158
00:07:22,500 --> 00:07:25,533
Let's scroll all the way down to different Nmap scans.

159
00:07:27,390 --> 00:07:28,710
And as we're scrolling,

160
00:07:28,710 --> 00:07:32,070
you will see that we are passing the actual Help menu

161
00:07:32,070 --> 00:07:35,130
that we get outputted once we run the --help.

162
00:07:35,130 --> 00:07:36,540
And below this Help menu,

163
00:07:36,540 --> 00:07:39,093
it explains every option in great details.

164
00:07:40,080 --> 00:07:42,660
And as I'm scrolling, I came to this part

165
00:07:42,660 --> 00:07:45,420
which says port scanning basics,

166
00:07:45,420 --> 00:07:50,160
and here are the six port states recognized by Nmap.

167
00:07:50,160 --> 00:07:51,270
And this is good to read,

168
00:07:51,270 --> 00:07:54,540
so we got the open port state, the closed port state,

169
00:07:54,540 --> 00:07:58,680
we got filtered port state, unfiltered port state,

170
00:07:58,680 --> 00:08:02,700
open and filtered, and closed and filtered.

171
00:08:02,700 --> 00:08:04,980
So if you want, read through this.

172
00:08:04,980 --> 00:08:08,190
It is really useful knowing once you get, for example,

173
00:08:08,190 --> 00:08:11,460
filtered ports to know exactly what that means.

174
00:08:11,460 --> 00:08:15,090
And if I go a little bit more down, here they are.

175
00:08:15,090 --> 00:08:18,600
Here are the different scan types that Nmap has

176
00:08:18,600 --> 00:08:23,340
So here is the TCP SYN scan that we performed, which is -sS.

177
00:08:23,340 --> 00:08:27,180
Here is the -sT, which is full TCP connection scan.

178
00:08:27,180 --> 00:08:31,320
And down here, you will notice after the UDP scan

179
00:08:31,320 --> 00:08:33,539
that we got different options

180
00:08:33,539 --> 00:08:36,030
as to how we can perform our scan.

181
00:08:36,030 --> 00:08:38,880
And you can read about each and every one of them,

182
00:08:38,880 --> 00:08:43,140
and see when are the useful, and how you can specify them.

183
00:08:43,140 --> 00:08:45,300
Here is the TCP ACK scan,

184
00:08:45,300 --> 00:08:47,340
here's the TCP window scan,

185
00:08:47,340 --> 00:08:50,340
and you will see there are a lot of them.

186
00:08:50,340 --> 00:08:53,100
There are also different options such as these scanflags

187
00:08:53,100 --> 00:08:54,930
which is custom TCP scan,

188
00:08:54,930 --> 00:08:56,310
but this is an advanced option

189
00:08:56,310 --> 00:08:58,473
and we might take a look at this later on.

190
00:08:59,430 --> 00:09:01,863
Here is idle scan, ECHO scan,

191
00:09:02,730 --> 00:09:03,900
let's see all the way down.

192
00:09:03,900 --> 00:09:08,883
IP protocol scan, FTP relay host, FTP bounce scan.

193
00:09:09,870 --> 00:09:13,623
And that would pretty much be it for the Nmap scans.

194
00:09:14,460 --> 00:09:17,880
So depending on your target and what you exactly want to get

195
00:09:17,880 --> 00:09:19,290
from this scan,

196
00:09:19,290 --> 00:09:20,580
you would pick one of them.

197
00:09:20,580 --> 00:09:23,160
So for example, if you wanted to discover open ports,

198
00:09:23,160 --> 00:09:25,320
you would use the TCP SYN scan.

199
00:09:25,320 --> 00:09:28,800
Now the ACK scan, I believe, which is the -sA,

200
00:09:28,800 --> 00:09:30,600
which we saw a few seconds ago,

201
00:09:30,600 --> 00:09:34,200
is useful, I believe, to mapping out the firewall

202
00:09:34,200 --> 00:09:36,420
just read through them, if you have time,

203
00:09:36,420 --> 00:09:38,190
and you will discover how they work

204
00:09:38,190 --> 00:09:40,290
and when are they useful.

205
00:09:40,290 --> 00:09:44,190
So let's see how much percentage our UDP scan is at.

206
00:09:44,190 --> 00:09:46,770
So it has finished about third of the scan.

207
00:09:46,770 --> 00:09:48,360
And we know that this will take

208
00:09:48,360 --> 00:09:50,070
at least 10 to 15 more minutes,

209
00:09:50,070 --> 00:09:51,693
so we're not going to wait this.

210
00:09:52,770 --> 00:09:55,590
And by the way, about the Nmap manual,

211
00:09:55,590 --> 00:09:57,930
you'll need to read that entire file,

212
00:09:57,930 --> 00:10:00,780
just it is good to know that it exists.

213
00:10:00,780 --> 00:10:02,880
So sometimes when you forget something

214
00:10:02,880 --> 00:10:04,140
or you want to check out

215
00:10:04,140 --> 00:10:06,690
if Nmap has some other option that you need.

216
00:10:06,690 --> 00:10:08,370
You can just open that manual

217
00:10:08,370 --> 00:10:11,430
and read until you find what you need.

218
00:10:11,430 --> 00:10:14,730
Nobody expects you to know everything inside of that file.

219
00:10:14,730 --> 00:10:16,980
But after some time, you will start picking

220
00:10:16,980 --> 00:10:20,160
some of the comments up and memorizing them.

221
00:10:20,160 --> 00:10:23,250
Cool. We covered a lot in this video.

222
00:10:23,250 --> 00:10:26,700
The next two videos will be even more important.

223
00:10:26,700 --> 00:10:27,780
We're going to check

224
00:10:27,780 --> 00:10:29,970
how we can discover operating systems

225
00:10:29,970 --> 00:10:31,830
that our target machines run

226
00:10:31,830 --> 00:10:34,800
and what versions of services are they running

227
00:10:34,800 --> 00:10:36,570
on an open port,

228
00:10:36,570 --> 00:10:39,390
which is, remember, one of the most important things

229
00:10:39,390 --> 00:10:40,503
that we want to find.