1
00:00:01,180 --> 00:00:06,110
Pink scans are a valuable method for determining if a host is online and responsive.

2
00:00:06,130 --> 00:00:13,840
While traditional TCP ping scans are commonly used, UDP ping scans offers an advantage by being able

3
00:00:13,840 --> 00:00:20,890
to detect systems behind firewalls with strict TCP filtering, but have left UDP exposed.

4
00:00:20,920 --> 00:00:27,760
In this lecture we will explore how to perform a UDP ping scan using Nmap and its related options.

5
00:00:27,760 --> 00:00:30,920
So let's initiate a UDP ping scan.

6
00:00:30,940 --> 00:00:34,510
You will open your terminal here and let's clear that.

7
00:00:34,510 --> 00:00:41,980
So now we will enter the nmap as n here pu here with po option, with uppercase here.

8
00:00:41,980 --> 00:00:45,460
And after that we will enter the code silicon.

9
00:00:46,280 --> 00:00:49,790
And here, as you can see here, only works if you are root.

10
00:00:49,790 --> 00:00:52,520
So we will use the sudo here.

11
00:00:52,730 --> 00:00:56,090
Sudo enter the password and that's it.

12
00:00:56,090 --> 00:01:04,760
So here this command instructs nmap to perform host discovery using udp ping scanning.

13
00:01:04,760 --> 00:01:13,070
And here let's take another look by scanning the target scan me.nmap.org here.

14
00:01:13,070 --> 00:01:17,540
So we will delete the code Silicom and scan me.

15
00:01:19,490 --> 00:01:24,140
Scan me.nmap.org here.

16
00:01:24,170 --> 00:01:27,380
So now we are scanning scan me dot.

17
00:01:27,860 --> 00:01:28,430
Dot org.

18
00:01:28,430 --> 00:01:35,420
And as you can see here there is zero host is up here because host seems um so if it is really up with

19
00:01:35,420 --> 00:01:42,710
blocking our pink props and here as you can see here in my password gives it gives us an suggestion

20
00:01:42,710 --> 00:01:43,850
here so.

21
00:01:45,630 --> 00:01:52,320
Now, as you can see here, host is up and other addresses for scan me which are not scanned.

22
00:01:52,350 --> 00:01:56,640
This is the IPV IP version six address here.

23
00:01:56,640 --> 00:02:05,190
So after executing this command Nmap provider scan report indicating whether the target is host is online,

24
00:02:05,190 --> 00:02:10,860
Additionally, it might display alternative IP addresses associated with the target, for instance,

25
00:02:10,860 --> 00:02:11,730
this year.

26
00:02:11,730 --> 00:02:21,690
So we will also test it with the code Silicom code Silicom here and now what we're going to see is and

27
00:02:21,690 --> 00:02:26,860
as you can see here, we have our address here, address and so on.

28
00:02:26,880 --> 00:02:30,960
So let's actually think about how it works.

29
00:02:30,960 --> 00:02:37,830
So UDP ping scanning operates by sending an empty UDP packet to the target port.

30
00:02:37,830 --> 00:02:43,890
If the host is online, it should respond with an ICMP port unreachable error.

31
00:02:43,920 --> 00:02:51,730
On the other hand, if the host is offline, various ICMP ICMP messages may be returned.

32
00:02:51,730 --> 00:02:56,170
So we will try that again and we will enter some weird.

33
00:02:56,940 --> 00:02:57,440
Here.

34
00:02:58,730 --> 00:02:59,150
Most.

35
00:03:02,520 --> 00:03:04,140
Here and now.

36
00:03:04,410 --> 00:03:07,370
No targets are specified and so on.

37
00:03:07,380 --> 00:03:11,100
So because it couldn't resolve this.

38
00:03:11,100 --> 00:03:15,480
So we will we can give 111 here and in this case.

39
00:03:16,340 --> 00:03:19,520
And as you can see, it is cost is down.

40
00:03:20,240 --> 00:03:30,950
So and it's worth noting that open ports that do not respond to empty UDP packets can generate false

41
00:03:30,950 --> 00:03:34,310
positives, as you can see here during the scan.

42
00:03:34,310 --> 00:03:40,670
So service is running on these ports might simply ignore the UDP packets leading to incorrect offline

43
00:03:40,670 --> 00:03:42,380
status for the host.

44
00:03:42,380 --> 00:03:46,580
And as you've seen in previous lectures in previous examples here.

45
00:03:46,580 --> 00:03:53,870
So when we entered this to console.com, the Encode cell in reality is actually up.

46
00:03:53,870 --> 00:03:54,650
So it's running.

47
00:03:54,650 --> 00:03:58,940
But here it's as you can see in set that it's down.

48
00:03:58,940 --> 00:04:06,160
So to improve the accuracy of the scan results, selecting closed ports as targets can be beneficial.

49
00:04:06,170 --> 00:04:13,490
So to specify the ports to be probed in UDP ping scans, you can add a port list or range after the

50
00:04:13,520 --> 00:04:15,530
p u option here.

51
00:04:15,530 --> 00:04:22,200
So we will delete the s n now because of that and after that we will after p u here without spaces,

52
00:04:22,200 --> 00:04:26,190
we will enter from 0 to 1500 here.

53
00:04:26,190 --> 00:04:37,410
So now it will scan the com port UDP port and send requests from one zero here and to 1500.

54
00:04:37,440 --> 00:04:39,210
So now we are waiting for it.

55
00:04:39,210 --> 00:04:44,010
And as you can see, it's almost done 17%, 13.

56
00:04:44,010 --> 00:04:45,690
1450.

57
00:04:47,100 --> 00:04:48,870
Almost 60 here.

58
00:04:50,130 --> 00:04:51,000
And here.

59
00:04:51,000 --> 00:04:56,520
So while this loading, we can go to another example here.

60
00:04:58,940 --> 00:05:06,170
So pink scans are commonly used to determine the online status of a host and ICMP echo request messages

61
00:05:06,170 --> 00:05:13,550
specifically designed for these purposes so and are employed in ICMP ping scans to reliably detect a

62
00:05:13,550 --> 00:05:14,870
host status.

63
00:05:14,870 --> 00:05:23,000
So in this lecture we will explore how to perform an ICMP ping scan using Nmap and flags associated

64
00:05:23,360 --> 00:05:27,230
with the different types of supported ICMP messages.

65
00:05:27,230 --> 00:05:30,260
So here, let's see the output here.

66
00:05:30,260 --> 00:05:32,450
And as you can see, it's almost done.

67
00:05:32,450 --> 00:05:38,870
And you see here we have open ports and services listed here and also our DNS record.

68
00:05:38,870 --> 00:05:41,000
So let's delete this and we will.

69
00:05:41,760 --> 00:05:48,840
We will execute another scan here and a map here and after that code.

70
00:05:49,200 --> 00:05:56,100
So now what we are doing here is we are initiating an ICMP ping scan.

71
00:05:56,110 --> 00:06:00,110
And here, as you can see here, using TCP mixer rather than ICMP.

72
00:06:00,120 --> 00:06:03,350
So that's why we need to run it with Sudo.

73
00:06:03,360 --> 00:06:08,250
And here we will get an output here, almost done.

74
00:06:08,250 --> 00:06:15,630
So this command instructs Nmap to send an ICMP echo request packet to the specified target.

75
00:06:15,630 --> 00:06:22,890
So here we will also do another example with the scan me.nmap.org.

76
00:06:23,040 --> 00:06:28,530
After initiating this and completing this scan here, it's almost done.

77
00:06:28,530 --> 00:06:31,020
Just a 20% left.

78
00:06:47,640 --> 00:06:52,260
And as you can see here, undergoing a scene stealth scan.

79
00:06:52,950 --> 00:06:55,610
And it's a stealth scan timing.

80
00:06:55,620 --> 00:06:57,690
It's 7% almost and done.

81
00:06:57,690 --> 00:07:00,230
And here we also got this.

82
00:07:00,240 --> 00:07:03,930
Here we have the DNS record again and so on.

83
00:07:03,930 --> 00:07:08,130
So we will Now what we're going to do is we will execute the same.

84
00:07:10,480 --> 00:07:16,520
Scan me scan me.nmap.org website and here.

85
00:07:16,540 --> 00:07:24,280
Upon executing the command, Nmap will provide a scan report indicating whether the host is responding

86
00:07:24,280 --> 00:07:26,020
as it did here.

87
00:07:26,020 --> 00:07:31,090
So additionally, it may display the latency and other relevant information.

88
00:07:31,510 --> 00:07:34,450
For example, this here and so on.

89
00:07:34,540 --> 00:07:41,080
So let's actually now let's go to think about how it works here.

90
00:07:41,350 --> 00:07:43,990
So the SDN.

91
00:07:44,940 --> 00:07:49,410
Here, the s, n, P or P option.

92
00:07:51,010 --> 00:07:56,530
These racks and map to send an ICMP echo request package to the target host.

93
00:07:56,530 --> 00:08:03,940
So if the host responds with an ICMP echo reply, we can determine that it is online.

94
00:08:03,940 --> 00:08:07,990
So by utilizing the this packet trace.

95
00:08:08,450 --> 00:08:13,120
Packet trace option, we can gain insights into underlying process here.

96
00:08:13,890 --> 00:08:15,790
And I have.

97
00:08:15,810 --> 00:08:19,500
I also have some additional insights to hear.

98
00:08:19,500 --> 00:08:26,100
So ICMP ping scanning supports various ICMP message types, although remote ICMP traffic is typically

99
00:08:26,100 --> 00:08:29,700
blocked, so it's commonly logged within local network.

100
00:08:29,700 --> 00:08:35,880
So to explore more ICMP ping scan configuration options, refer to the documentation and resources available

101
00:08:35,880 --> 00:08:37,380
for Nmap.

102
00:08:37,380 --> 00:08:42,390
And here we also have the local versus remote network.

103
00:08:42,390 --> 00:08:48,480
So it's important to keep in mind that while ICMP ping scans can be useful for monitoring local networks,

104
00:08:48,480 --> 00:08:54,960
remote ICMP packets are often blocked by system administrators, so therefore their effectiveness may

105
00:08:54,960 --> 00:08:58,770
vary depending on the other network configuration.

106
00:08:58,770 --> 00:09:05,580
And in addition to the ICMP echo request, the other ICMP messages can also be employed for host discovery

107
00:09:05,580 --> 00:09:12,690
and Nmap supports ICMP timestamp reply, which is uppercase p p here.

108
00:09:13,020 --> 00:09:16,030
So let's also try it p p here.

109
00:09:16,030 --> 00:09:17,260
And this is the address.

110
00:09:17,560 --> 00:09:22,830
And we also can use the address mask reply p m messages as alternative techniques.

111
00:09:22,840 --> 00:09:29,410
So these variations can bypass misconfigured firewalls that only block ICMP echo requests.

112
00:09:29,410 --> 00:09:37,210
So to perform the scans using these ICMP types, you can use this command, as you can see here, p

113
00:09:37,210 --> 00:09:37,310
p.

114
00:09:37,360 --> 00:09:41,800
So we will add the packet trace to see what's going on under the hood.

115
00:09:41,800 --> 00:09:49,840
And after that we will use the P here since we executed already here and now they're seeing.

116
00:09:50,710 --> 00:09:57,640
Uh, as you can see, host seems down because in this website we have a firewall and it also blocks

117
00:09:58,030 --> 00:10:02,890
this ICMP ping scan and different ICMP echo request here.