WEBVTT

0
00:01.840 --> 00:09.510
Now that you know the basics of nmap we can move on to advanced features. Many firewalls and routers

1
00:09.540 --> 00:17.980
block or drop ICMP ping packets. When you use nmap to scan a system or a network, by default,  it sends 

2
00:18.070 --> 00:25.150
out a ping to see if the host is up and if it gets a response, it then sends the specified packets 

3
00:25.150 --> 00:33.910
to scan the system. If the ping is blocked or dropped, nmap gives up and says, "host is down." To get around

4
00:33.910 --> 00:37.510
firewalls and routers that block ping packets, 

5
00:37.570 --> 00:43.970
we need to suppress nmap's default behavior of sending out that initial ping. 

6
00:44.170 --> 00:48.100
We can do this by using the -Pn option,

7
00:51.560 --> 01:03.600
like this: nmap -Pn (P in uppercase)  and the target, it will scan the target without sending an initial

8
01:03.600 --> 01:04.020
ping.

9
01:07.190 --> 01:15.500
Let’s move on and talk about Firewall and IDS, Evasion and Spoofing. When you are


10
01:15.500 --> 01:18.260
scanning machines that are not yours, 

11
01:18.260 --> 01:23.360
you often want to hide your real IP address which is your identity. 

12
01:23.360 --> 01:28.060
Obviously every packet must contain your source IP address,

13
01:28.130 --> 01:35.360
otherwise responses from the target  will not return back. A recommended solution to obfuscate 

14
01:35.420 --> 01:45.410
your real IP address is to use decoys. -D option causes a decoy scan to be performed, which makes


15
01:45.410 --> 01:53.540
it appear to the remote host that the hosts you specify as decoys are scanning the target network too

16
01:54.650 --> 02:02.480
and their intrusion detection system might report multiple ports scans from unique IP addresses but they

17
02:02.480 --> 02:08.050
won't know which IP was scanning them and which were innocent decoys.

18
02:08.090 --> 02:15.650
This is generally an effective technique for hiding your IP address. Let's scan the port 22 using

19
02:15.710 --> 02:22.320
decoys so nmap -p 22 -sV

20
02:22.400 --> 02:25.070
I want a version scan as well.

21
02:25.070 --> 02:26.990
The IP address of the target

22
02:29.840 --> 02:34.780
-D and the decoys using a comma between them;

23
02:37.870 --> 02:39.320
the first the decoy,

24
02:39.460 --> 02:41.550
the second decoy,

25
02:43.470 --> 02:45.630
and the last one.

26
02:46.020 --> 02:53.710
In this example the target will be scanned from four different IP addresses and it will be hard for

27
02:53.710 --> 02:57.720
it to identify which one is the real source of the scanning.

28
03:00.980 --> 03:04.820
I've used private IP addresses as decoys,

29
03:04.820 --> 03:09.740
but of course you can use public IP addresses as well.

30
03:09.740 --> 03:18.320
Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets. 

31
03:18.320 --> 03:25.850
Also it will be pretty easy to determine which host is scanning if only one is actually up on the network,

32
03:26.810 --> 03:32.810
so the decoy hosts must be up. In the next example

33
03:32.850 --> 03:41.400
I want to show you how to read the targets from a file.  Passing a huge list of hosts is often awkward

34
03:41.640 --> 03:42.990
on the command line.

35
03:42.990 --> 03:46.960
Just imagine you have a list with 100 hosts

36
03:47.010 --> 03:54.720
you wanted to scan and you want to avoid writing 100 IP addresses at the command line; you simply generate

37
03:54.720 --> 04:03.120
the list of hosts to scan and pass that filename to Nmap as an argument to the -iL option.


38
04:03.180 --> 04:11.640
Let's create the list: vim hosts.txt 192.168.0.100


39
04:11.640 --> 04:23.220
the default gateway, the public DNS server from Google and vulnweb.com


40
04:24.230 --> 04:32.550
entries can be in any of the formats accepted by nmap on the command line, so IP addresses, host 

41
04:32.550 --> 04:34.980
names, networks and so on.

42
04:35.070 --> 04:42.090
Each entry must be separated by one or more spaces, tabs or new lines.

43
04:42.090 --> 04:49.780
So I want to scan these 4 hosts.

44
04:49.970 --> 04:58.200
You can use notepad or your preferred editor to create the text file and nmap -p

45
04:58.250 --> 05:10.160
I want to scan only part 80, 80 -iL and the  name of the file hosts.txt and it scaned

46
05:10.400 --> 05:13.260
those 4 hosts and port 80.

47
05:13.520 --> 05:19.830
If you want to speed up the scan you can disable  reverse DNS which is performed by default.

48
05:19.970 --> 05:23.350
You can use  -n option.


49
05:23.470 --> 05:36.490
This is reverse DNS; it tried to translate the IP address into a domain name, so -n

50
05:36.560 --> 05:43.370
If you wanted to export the output into a file to further analyze it you use -oN

51
05:43.400 --> 05:53.360
option like this; -oN output.txt,  the file will be created.

52
05:55.230 --> 06:00.930
The output was displayed both at the console and saved into the file.

53
06:04.520 --> 06:10.070
This is the scan output. At the the end of this lecture

54
06:10.080 --> 06:16.350
we'll discuss timing templates which are used to optimize and improve the quality and performance of

55
06:16.350 --> 06:17.440
the scan.

56
06:17.460 --> 06:24.490
These templates set the time interval  nmap waits for our response and the time between each packet

57
06:24.550 --> 06:34.600
sent by nmap to the target; -T option is used to set a timing template and there are 6 such

58
06:34.600 --> 06:42.480
templates. Each template has a name and a number. Better let's take a look at the man page of nmap

59
06:46.020 --> 06:57.430
and I'm searching for -T typing /-T and enter; and n to find the next occurrence

60
06:57.670 --> 06:58.660
and one more time.

61
06:58.670 --> 06:59.830
And OK

62
07:02.600 --> 07:12.740
these are the templates; paranoid or a 0; sneaky or 1; polite or 2; normal or 3 or aggressive and insane

63
07:12.740 --> 07:21.390
which is 5; these templates allow you to specify how aggressive you wish to be while leaving nmap

64
07:21.420 --> 07:31.110
to pick the exact timing values. The first two, paranoid and sneaky, are for intrusion detection system

65
07:31.110 --> 07:38.460
evasion and nmap will slow down the scan a lot. You'll have to wait a longer time if there are more

66
07:38.460 --> 07:46.640
hosts and ports to be scanned. T3 or normal is the default and the last two will make nmap

67
07:46.710 --> 07:54.870
scan the target extremely fast. That will probably be detected and you'll sacrifice some accuracy for

68
07:54.870 --> 08:02.380
speed. If you want to see the exact time values for these templates you should take a look at the man

69
08:02.380 --> 08:03.660
page of nmap.

70
08:10.210 --> 08:17.980
You'll see a lot of details here; if you want to perform a fast scan T4's the recommended template

71
08:18.220 --> 08:26.910
in most cases. I'm exiting the man page by pressing on q. Let’s try such a fast scan on a

72
08:26.910 --> 08:39.040
target nmap -T4 and I'll also use the-A option which enables operating system and version

73
08:39.050 --> 08:47.210
detection script scanning and trace route. This is a really useful option. And the target1

74
08:51.330 --> 09:00.820
This scan will take a few tens of seconds! Remember that if you press the Enter key while running you'll

75
09:00.820 --> 09:01.780
see the progress.

76
09:05.080 --> 09:06.190
It's almost over!

77
09:11.030 --> 09:19.390
And it's over; we see the result of the scan! Okay, that's all! In the next lecture we'll talk about 

78
09:19.500 --> 09:22.790
Nmap sScripting Engine or NSE.