1 00:00:00,840 --> 00:00:02,610 Instructor: We mentioned fragmented packets 2 00:00:02,610 --> 00:00:05,220 and creating decoys in the previous video. 3 00:00:05,220 --> 00:00:08,160 Right now we are going to mention a few more options 4 00:00:08,160 --> 00:00:10,950 and even though they are not that important, 5 00:00:10,950 --> 00:00:12,720 it is good to know they exist 6 00:00:12,720 --> 00:00:15,150 so let's go through them real fast. 7 00:00:15,150 --> 00:00:16,800 I will not be running these options 8 00:00:16,800 --> 00:00:18,900 but you can test them out if you want. 9 00:00:18,900 --> 00:00:22,980 I will just mention them so you know what else you can use. 10 00:00:22,980 --> 00:00:26,073 The first thing we got is option dash S, 11 00:00:26,970 --> 00:00:31,710 and you run it like this, Sudo NMAP dash S, 12 00:00:31,710 --> 00:00:35,670 and this option is used to spoof your IP address. 13 00:00:35,670 --> 00:00:38,370 It will make your target think that someone else 14 00:00:38,370 --> 00:00:39,660 is scanning them. 15 00:00:39,660 --> 00:00:42,690 The problem with this is that you will not get results 16 00:00:42,690 --> 00:00:44,850 of scanned back since they will be sent 17 00:00:44,850 --> 00:00:47,940 to the IP address that you're trying to impersonate. 18 00:00:47,940 --> 00:00:49,020 So for example, 19 00:00:49,020 --> 00:00:53,940 you can be trying to impersonate 8.8.8.8 20 00:00:53,940 --> 00:00:57,480 and your target will be scanned with this IP address 21 00:00:57,480 --> 00:00:59,700 or at least it will seem that the scan 22 00:00:59,700 --> 00:01:01,740 is coming from this IP address. 23 00:01:01,740 --> 00:01:06,330 For this option to work, you must also specify dash Pn. 24 00:01:06,330 --> 00:01:08,730 And the reason why you must specify dash Pn 25 00:01:08,730 --> 00:01:11,400 is first of all, dash Pn is used to assume 26 00:01:11,400 --> 00:01:13,860 that all hosts are online. 27 00:01:13,860 --> 00:01:16,560 So it doesn't perform the ping scan to discover 28 00:01:16,560 --> 00:01:19,140 whether a host is up and running. 29 00:01:19,140 --> 00:01:22,170 Without the dash Pn, this option would not work, 30 00:01:22,170 --> 00:01:24,720 and the reason is because your target 31 00:01:24,720 --> 00:01:26,943 will be scanned with this IP address. 32 00:01:27,840 --> 00:01:30,810 And we will not be able to get the packets back 33 00:01:30,810 --> 00:01:33,870 and see whether the target is on or off. 34 00:01:33,870 --> 00:01:37,800 That's why we will just assume that the target is online 35 00:01:37,800 --> 00:01:40,800 so we can scan them with a different IP address. 36 00:01:40,800 --> 00:01:43,290 Otherwise, we will never get the result 37 00:01:43,290 --> 00:01:45,060 whether they are online. 38 00:01:45,060 --> 00:01:47,250 And sometimes with these two options 39 00:01:47,250 --> 00:01:50,370 you must also run dash E. 40 00:01:50,370 --> 00:01:53,520 E is used to specify a network interface. 41 00:01:53,520 --> 00:01:55,980 So you would simply just type, ifconfig, 42 00:01:55,980 --> 00:01:58,950 check out what network interface you're using, 43 00:01:58,950 --> 00:02:01,260 and you would specify it right here. 44 00:02:01,260 --> 00:02:04,260 In my case, that would be ETH0. 45 00:02:04,260 --> 00:02:07,770 Another cool option besides this that NMAP has 46 00:02:07,770 --> 00:02:12,363 is you can specify the source port with dash G option. 47 00:02:13,200 --> 00:02:15,810 This can sometimes help bypass a firewall. 48 00:02:15,810 --> 00:02:19,320 For example, a network administrator may set up a firewall 49 00:02:19,320 --> 00:02:22,380 and set a rule where only traffic from a certain port 50 00:02:22,380 --> 00:02:23,520 is allowed. 51 00:02:23,520 --> 00:02:26,520 And with that he's probably thinking that attackers 52 00:02:26,520 --> 00:02:29,910 won't be able to figure out from which port exactly. 53 00:02:29,910 --> 00:02:33,180 And if you perform a scan and send packets 54 00:02:33,180 --> 00:02:36,420 from the port that's allowed in the firewall rule, 55 00:02:36,420 --> 00:02:38,970 you successfully bypass firewall. 56 00:02:38,970 --> 00:02:40,830 So you would specify it with dash G 57 00:02:40,830 --> 00:02:43,470 and then random port number. 58 00:02:43,470 --> 00:02:46,530 And one last thing that we will mention that would help you 59 00:02:46,530 --> 00:02:50,970 in bypassing fireball is changing different scan types. 60 00:02:50,970 --> 00:02:53,340 We already covered some scan types 61 00:02:53,340 --> 00:02:56,910 and any of them could be useful to you sometimes. 62 00:02:56,910 --> 00:03:01,910 For example, in case you perform a SYN scan 63 00:03:02,010 --> 00:03:06,270 on a target machine and in case the SYN scan is blocked 64 00:03:06,270 --> 00:03:07,800 by the target's firewall 65 00:03:07,800 --> 00:03:10,950 which would mean that they drop all SYN requests 66 00:03:10,950 --> 00:03:13,290 that try to initiate TCP connection, 67 00:03:13,290 --> 00:03:15,960 we could try to perform a FIN scan. 68 00:03:15,960 --> 00:03:19,980 And FIN scan is labeled like this, dash sF. 69 00:03:19,980 --> 00:03:22,830 Now, you're probably confused because there are a lot 70 00:03:22,830 --> 00:03:24,390 of scans that we can do. 71 00:03:24,390 --> 00:03:27,030 And in case you don't have any networking background 72 00:03:27,030 --> 00:03:30,150 you're probably wondering what FIN scan even means. 73 00:03:30,150 --> 00:03:32,970 Well, FIN scan is just sending a FIN packet 74 00:03:32,970 --> 00:03:34,440 without any other flags. 75 00:03:34,440 --> 00:03:38,010 And these SYN flags and FIN flags can be confusing sometimes 76 00:03:38,010 --> 00:03:40,740 but with practice you will catch everything up. 77 00:03:40,740 --> 00:03:43,200 Just one advice I have is that every time 78 00:03:43,200 --> 00:03:46,620 you don't fully understand something, just Google it. 79 00:03:46,620 --> 00:03:48,660 That is how I learned as well. 80 00:03:48,660 --> 00:03:51,810 And all of these options that we covered can be combined 81 00:03:51,810 --> 00:03:55,290 with something called Timing Template. 82 00:03:55,290 --> 00:03:57,810 And to show you what Timing Template really is, 83 00:03:57,810 --> 00:04:01,020 I opened up my NMAP manual right here, 84 00:04:01,020 --> 00:04:03,900 and I scrolled to this option right here 85 00:04:03,900 --> 00:04:06,990 which says, dash D Timing Template. 86 00:04:06,990 --> 00:04:09,390 And if you also open up NMAP manual 87 00:04:09,390 --> 00:04:11,220 this will be all the way down. 88 00:04:11,220 --> 00:04:14,400 So there are about one or two minutes of scrolling 89 00:04:14,400 --> 00:04:16,290 until you reach this option. 90 00:04:16,290 --> 00:04:19,260 Here in the NMAP manual we can see the dash T 91 00:04:19,260 --> 00:04:23,940 comes with six different options or six different modes. 92 00:04:23,940 --> 00:04:27,330 And what's interesting for us regarding security evasion 93 00:04:27,330 --> 00:04:32,190 are the first two modes which are zero and one, 94 00:04:32,190 --> 00:04:35,970 also called, paranoid, and sneaky. 95 00:04:35,970 --> 00:04:40,970 These two are used for IDS evasion as it says right here. 96 00:04:41,040 --> 00:04:44,070 Now the problem with T zero and T one 97 00:04:44,070 --> 00:04:46,920 or the first two options is since they're trying 98 00:04:46,920 --> 00:04:51,360 to avoid IDS alerts they will take a lot longer to finish. 99 00:04:51,360 --> 00:04:54,810 So once you're scanning more machines or more networks 100 00:04:54,810 --> 00:04:58,320 this might not be the most reasonable approach to take 101 00:04:58,320 --> 00:05:01,620 since this scan will take a lot of time 102 00:05:01,620 --> 00:05:05,130 with specifying dash D zero or dash D one. 103 00:05:05,130 --> 00:05:07,740 And all of this including the options that we cover 104 00:05:07,740 --> 00:05:10,800 in the last video will help you in security evasion 105 00:05:10,800 --> 00:05:11,940 and spoofing. 106 00:05:11,940 --> 00:05:14,670 What I would advise you to do is also read about 107 00:05:14,670 --> 00:05:17,430 other options as well that we didn't cover 108 00:05:17,430 --> 00:05:19,770 just to see what else can you do. 109 00:05:19,770 --> 00:05:22,740 In the next video, big things are happening. 110 00:05:22,740 --> 00:05:24,840 We're going to create our first tool 111 00:05:24,840 --> 00:05:26,490 used for penetration testing. 112 00:05:26,490 --> 00:05:27,323 Let's do it.