1
00:00:00,210 --> 00:00:05,540
‫Correct timing and end map scans is important for the accuracy and effectiveness of the scan.

2
00:00:06,830 --> 00:00:13,340
‫In the case of outside scans, it is usually preferable to use flow scans to avoid devices such as apps

3
00:00:13,340 --> 00:00:14,510
‫and ideas.

4
00:00:14,960 --> 00:00:19,250
‫Whereas in a scan from an internal network, quick scan options will be preferred.

5
00:00:20,320 --> 00:00:26,320
‫While the fine grained timing controls are powerful and effective, fortunately, and Map offers a simple

6
00:00:26,320 --> 00:00:28,450
‫approach with six timing templates.

7
00:00:30,060 --> 00:00:36,180
‫You can specify them with the uppercase T option and their number zero through five or their name.

8
00:00:37,050 --> 00:00:38,640
‫The template names are paranoid.

9
00:00:38,790 --> 00:00:39,330
‫Zero.

10
00:00:39,360 --> 00:00:40,560
‫Sneaky one.

11
00:00:40,830 --> 00:00:42,950
‫Polite to normal.

12
00:00:43,110 --> 00:00:43,620
‫Three.

13
00:00:44,010 --> 00:00:47,430
‫Aggressive four and insane five.

14
00:00:47,610 --> 00:00:50,670
‫The first two are for IDs evasion.

15
00:00:51,450 --> 00:00:56,700
‫Polite mode slows down the scan to use less bandwidth and target machine resources.

16
00:00:57,640 --> 00:01:01,870
‫Normal mode is the default, and so T3 does nothing.

17
00:01:02,200 --> 00:01:03,020
‫Aggressive mode.

18
00:01:03,340 --> 00:01:08,770
‫Speed scans up by making the assumption that you were on a reasonably fast and reliable network.

19
00:01:09,100 --> 00:01:15,280
‫Finally, insane mode assumes that you're on an extraordinarily fast network or you're willing to sacrifice

20
00:01:15,280 --> 00:01:16,480
‫some accuracy for speed.

21
00:01:17,860 --> 00:01:24,040
‫Max Retrials option is to specify the maximum number of ports again, probe retransmission.

22
00:01:25,250 --> 00:01:32,450
‫When Mapp receives no response to a port scan probe, it could mean that the port is filtered, or maybe

23
00:01:32,450 --> 00:01:35,360
‫the probe or response was simply lost on the network.

24
00:01:36,490 --> 00:01:41,870
‫It's also possible that the target host has rate limiting enabled that temporarily blocked the response.

25
00:01:42,550 --> 00:01:49,240
‫So Nmap tries again by re transmitting the initial probe if an mapp detects poor network reliability.

26
00:01:49,630 --> 00:01:52,810
‫It may try many more times before giving up on a port.

27
00:01:53,740 --> 00:01:57,970
‫And while this benefits accuracy, it also lengthens scan times.

28
00:01:58,450 --> 00:02:03,880
‫So when performance is critical, scans may be sped up by limiting the number of Re transmissions allowed.

29
00:02:04,510 --> 00:02:11,560
‫You can even specify MAX retry is zero to prevent any Re transmissions, though that's only recommended

30
00:02:11,560 --> 00:02:18,640
‫for situations such as informal surveys where occasional missed ports and hosts are acceptable.

31
00:02:19,630 --> 00:02:25,860
‫The default with no uppercase T template is to allow 10 Re transmissions.

32
00:02:26,890 --> 00:02:34,270
‫Host timeout is used to give up slow target, some host simply take a long time to scan.

33
00:02:34,720 --> 00:02:41,470
‫This may be due to poorly performing or unreliable networking hardware or software packet rate limiting

34
00:02:41,470 --> 00:02:43,150
‫or restricted firewall.

35
00:02:43,930 --> 00:02:49,090
‫The slowest few percent of the scanned hosts can eat up a majority of the scan time.

36
00:02:49,780 --> 00:02:53,950
‫Sometimes it's best to cut your losses and skip to those hosts initially.

37
00:02:54,920 --> 00:03:00,380
‫Specify host time out with a maximum amount of time you're willing to wait.

38
00:03:00,650 --> 00:03:05,960
‫For example, specify 30 minutes to ensure that and map doesn't waste more than half an hour on a single

39
00:03:05,960 --> 00:03:06,440
‫host.

40
00:03:07,320 --> 00:03:11,790
‫Note that Nmap may be scanning other hosts at the same time during that half an hour, so it's not a

41
00:03:11,790 --> 00:03:12,780
‫complete loss.

42
00:03:13,850 --> 00:03:20,750
‫And Map utilizes parallelism and many advanced algorithms to accelerate the scans, especially in the

43
00:03:20,750 --> 00:03:22,110
‫case of external scans.

44
00:03:22,130 --> 00:03:29,540
‫It may be necessary to close the parallel scan that is to send a single packet to a server at the same

45
00:03:29,540 --> 00:03:33,200
‫time, and Map utilizes different options for this purpose.

46
00:03:33,410 --> 00:03:39,530
‫As we saw just a few minutes ago, you can manage the timing using uppercase T option if you use the

47
00:03:39,530 --> 00:03:45,860
‫template zero paranoid, one sneaky or too polite, parallel ization is closed.

48
00:03:46,310 --> 00:03:51,290
‫That means these templates serialize is the scan, so only one port is scanned at a time.

49
00:03:51,890 --> 00:03:59,480
‫Scan, delay option causes and map to wait at least a given amount of time between each probe it sends

50
00:03:59,480 --> 00:04:00,410
‫to a given host.

51
00:04:01,400 --> 00:04:04,550
‫This is particularly useful in the case of rate limiting.

52
00:04:05,410 --> 00:04:13,090
‫Solaris machines, among many others, will usually respond to UDP scan probe packets with only one

53
00:04:13,090 --> 00:04:15,100
‫ICMP message per second.

54
00:04:15,700 --> 00:04:22,330
‫Any more than that sent by end map will be wasteful, scan delay of one second or keep and map at that

55
00:04:22,330 --> 00:04:22,990
‫slow rate.

56
00:04:23,910 --> 00:04:28,260
‫And Matt tries to detect rate limiting and a justice can delay accordingly.

57
00:04:28,440 --> 00:04:33,120
‫But it doesn't hurt to specify it explicitly if you already know what rate works best.

58
00:04:33,450 --> 00:04:40,680
‫OK, so by default, and Map calculates an ever changing ideal parallelism based on network performance,

59
00:04:41,250 --> 00:04:48,420
‫the max parallelism option is sometimes set to one to prevent and map from sending more than one probe

60
00:04:48,420 --> 00:04:49,710
‫at a time to hosts.

61
00:04:51,150 --> 00:04:57,570
‫And Map has the ability to port, scan or version scan multiple hosts in parallel, and map does this

62
00:04:57,570 --> 00:05:02,460
‫by dividing the target IP space into groups and then scanning one group at a time.

63
00:05:03,400 --> 00:05:10,690
‫When a maximum group size is specified with Max, host group and map will never exceed that size.

64
00:05:11,470 --> 00:05:17,230
‫So if you specify maximum number of hosts in a group as one using Max host group option.

65
00:05:18,240 --> 00:05:23,070
‫There will be only one host in the group, and only one host will be scanned at a time.

66
00:05:23,460 --> 00:05:27,960
‫So what do you reckon the difference is between the MAX parallelism and the Max host group?

67
00:05:28,650 --> 00:05:29,190
‫Did you see it?

68
00:05:30,490 --> 00:05:36,730
‫When you set Max parallelism to one end map sends only one packet to a host at a time.

69
00:05:37,570 --> 00:05:43,900
‫When you said Max host group to one end map scans only one host at a time.