1 00:00:00,790 --> 00:00:05,380 In this lecture, we are going to see how we can scan networks and our target machines. 2 00:00:07,689 --> 00:00:14,260 Network scanning refers to the set of procedures appropriate for identifying a network host or services. 3 00:00:14,890 --> 00:00:20,420 It is one of the key components of intelligence gathering that attackers use to create a profile of 4 00:00:20,420 --> 00:00:21,790 the target organization. 5 00:00:22,420 --> 00:00:24,580 It has the following main objectives. 6 00:00:25,330 --> 00:00:30,010 Discover Life Host IP addresses and open source for all live host. 7 00:00:30,980 --> 00:00:33,440 Discover OS and system architecture. 8 00:00:34,480 --> 00:00:38,850 Discover services on the Gold Coast and discover vulnerability online. 9 00:00:38,940 --> 00:00:39,390 Both. 10 00:00:40,990 --> 00:00:47,380 No net is a free and open source network scanner, which is used to discover host and services on computer 11 00:00:47,380 --> 00:00:50,860 network by sending packages and analyzing the responses. 12 00:00:51,990 --> 00:00:57,720 And we've provided a number of features for probing computer networks, including discovery and service 13 00:00:57,720 --> 00:00:59,250 and operating system detection. 14 00:01:00,240 --> 00:01:06,030 These features are extensible by scripts that provide more advanced service detection, vulnerability 15 00:01:06,030 --> 00:01:07,560 detection and other features. 16 00:01:08,590 --> 00:01:13,720 And Meb can adapt to network conditions, including latency and congestion during this can. 17 00:01:17,010 --> 00:01:20,280 Net provides results in the form of four states. 18 00:01:20,820 --> 00:01:25,590 But many scanners have traditionally enabled all ports into open or closed states. 19 00:01:25,650 --> 00:01:27,750 And MAP is much more granular. 20 00:01:28,380 --> 00:01:30,630 It divides ports into six states. 21 00:01:30,930 --> 00:01:35,670 Open, closed, filtered, unfiltered, open, filtered or closed filter. 22 00:01:36,700 --> 00:01:42,670 These dates are not intrinsic properties of the boat itself, but describe how a map sees them. 23 00:01:43,830 --> 00:01:46,560 For example, a scan from the same network. 24 00:01:46,590 --> 00:01:48,540 As a targeted visual word. 25 00:01:48,570 --> 00:01:54,390 135 Dxb has open one scan at the same time with the same options from across the internet. 26 00:01:54,390 --> 00:01:56,670 Might show that both is filtered. 27 00:02:02,830 --> 00:02:07,540 An open court indicates that an application is listening for the connections on the board. 28 00:02:08,110 --> 00:02:11,260 The primary goal of a board scanning is to find these. 29 00:02:12,110 --> 00:02:12,460 Close. 30 00:02:12,470 --> 00:02:17,210 Both indicates that both was relative, but there is no application listing on the board. 31 00:02:18,360 --> 00:02:23,430 A filtered board indicates that probes were not received and the state could not be established. 32 00:02:24,480 --> 00:02:28,860 Unfiltered indicates they're both received, but the state could not establish. 33 00:02:29,280 --> 00:02:35,820 In other words, the port is accessible and MAP is unable to determine whether it is open or closed. 34 00:02:36,900 --> 00:02:42,360 Open filtered indicates the report was filtered or open, but InBev could not establish the state. 35 00:02:43,050 --> 00:02:49,980 Similarly, loose filter indicates that MN Map is unable to determine whether port is closed or filtered. 36 00:02:52,530 --> 00:02:56,970 So before jumping on the actual scanning, we need to know about the TCP header. 37 00:02:58,250 --> 00:03:00,680 And the most important thing, the flags. 38 00:03:03,690 --> 00:03:10,870 And Mab uses these flags to conduct different types of scans which are urgent eg push inserts in Anfield 39 00:03:10,910 --> 00:03:11,640 flags. 40 00:03:12,710 --> 00:03:16,340 The other thing that we need to know is about the handshake. 41 00:03:17,820 --> 00:03:20,010 What that ECB connection is established. 42 00:03:20,040 --> 00:03:28,140 The client sends a thin packet at the same flag on the server, responds with same and flag set, and 43 00:03:28,140 --> 00:03:34,050 the client again sends the EC packet with flag set and then the handshake completes. 44 00:03:35,280 --> 00:03:42,840 Similarly, on connection termination clients sends a thin packet flex set server response within EC 45 00:03:42,990 --> 00:03:46,440 and the client's handbags eg and the connection is terminated. 46 00:03:50,190 --> 00:03:52,290 No, Let's see some skin types. 47 00:03:53,040 --> 00:03:56,400 There are a number of skin types that and supports. 48 00:03:56,580 --> 00:03:59,430 We are going to see only the most popular ones. 49 00:04:02,310 --> 00:04:07,260 No the banks get scan is used to scan for the live host on the network. 50 00:04:07,590 --> 00:04:12,750 Just use the command with flag and it will tell us which posts are up. 51 00:04:16,540 --> 00:04:23,350 For example, a machine that scan a machine network is used the command as shown on the screen. 52 00:04:24,900 --> 00:04:30,590 Then you can scan the complete Network for Life hosts and we can see a couple of hosts in the Target 53 00:04:30,600 --> 00:04:31,140 network. 54 00:04:32,370 --> 00:04:38,600 The second is the DCP Connect scan or DCB scan will scan for all reports and ensure for the listing 55 00:04:38,610 --> 00:04:42,900 or through a three way handshake connection between the source and the destination port. 56 00:04:43,200 --> 00:04:45,690 It can be launched with the flagged SD. 57 00:04:46,290 --> 00:04:52,230 The scan does take this longer and require more packets to obtain the same information, but targeted 58 00:04:52,230 --> 00:04:54,810 machines are more likely to log this connection. 59 00:04:58,260 --> 00:05:03,060 Lord, this can go to a machine launch and scan with stuff leg. 60 00:05:07,010 --> 00:05:10,640 An NMA will provide a detailed report along with the Open. 61 00:05:18,790 --> 00:05:22,780 The third and the most popular scan type is PCP scan. 62 00:05:22,990 --> 00:05:29,460 This scan is often referred to as off opening scan because you don't open a full TV connection and send 63 00:05:29,470 --> 00:05:34,480 us in packet as you are going to open a real connection and then wait for the response. 64 00:05:34,750 --> 00:05:37,270 This can can be read as flag. 65 00:05:39,520 --> 00:05:45,310 Since Ken is the default and the most popular scan option for good reasons, it can be performed quickly. 66 00:05:45,310 --> 00:05:51,010 Scanning toddler ports per second with a fast network not hampered by restrictive firewalls. 67 00:05:55,890 --> 00:05:57,490 No on your machine. 68 00:05:57,750 --> 00:05:59,910 This log the scanned with SS flag. 69 00:06:05,260 --> 00:06:08,740 But you need to have the root privileges to launch this type of scam. 70 00:06:09,620 --> 00:06:11,900 Just give the command again the sudo. 71 00:06:12,990 --> 00:06:14,830 And Neville scan the target's. 72 00:06:21,370 --> 00:06:23,700 The next scan day is will be scan. 73 00:06:24,240 --> 00:06:29,650 UDP scan works by sending a packet to every target for four more sports. 74 00:06:29,860 --> 00:06:31,300 This package will be empty. 75 00:06:31,330 --> 00:06:36,790 No payload, but for a few of the more common powers of protocol, specific payload will be sent by 76 00:06:36,790 --> 00:06:37,420 NMP. 77 00:06:38,020 --> 00:06:44,770 This is launched by Sue flag as UDP is connection less protocol and there is no protocol defined relationship 78 00:06:44,770 --> 00:06:46,780 between packets in a direction. 79 00:06:47,380 --> 00:06:52,250 However, most operating system return an ICP port on visible packet. 80 00:06:52,270 --> 00:06:58,900 If a packet is sent to the closed report that support that does not return an ICP packet can be assumed 81 00:06:58,960 --> 00:06:59,590 open. 82 00:06:59,950 --> 00:07:04,420 Normally, if any response is received, the port is assigned the state of open. 83 00:07:04,510 --> 00:07:11,880 If no response received, it is classified as open filtered and if receive ICMP for unreachable error 84 00:07:11,890 --> 00:07:18,880 type three Code three it is classified as closed and for other ICMP unreachable errors, which is classified 85 00:07:18,880 --> 00:07:19,630 as filtered. 86 00:07:21,250 --> 00:07:21,520 No. 87 00:07:21,520 --> 00:07:24,100 Let's launch PewDiePie skin against our target. 88 00:07:24,400 --> 00:07:26,980 Let's give the target IP and as you flag. 89 00:07:28,130 --> 00:07:29,570 It was the target. 90 00:07:32,960 --> 00:07:35,150 So all your reports that are open. 91 00:07:41,960 --> 00:07:43,670 The next scan is team scan. 92 00:07:43,700 --> 00:07:50,060 It is one of the port scanning methods which uses the sheer stupidity of the old and stateless firewalls. 93 00:07:50,570 --> 00:07:56,230 In fact, when it comes to field scan or scanner software, send a packet with a flag in the form of 94 00:07:56,240 --> 00:07:59,870 PIN in the end of session to the destination firewall or post. 95 00:08:00,350 --> 00:08:07,130 If no response is received, it means the port is either open or filtered, or if the return is reset 96 00:08:07,130 --> 00:08:09,560 or it means the server port is closed. 97 00:08:10,710 --> 00:08:15,270 Often it is used to diminish the connection between the source and destination port. 98 00:08:15,390 --> 00:08:17,850 Typically after the data transfer is complete. 99 00:08:18,630 --> 00:08:24,300 However, rather than even pretending to initiate a standard reconnection and sends a single failed 100 00:08:24,300 --> 00:08:31,830 packet to the target tag is RFC 793 compliant and open port will drop the packet and close port will 101 00:08:31,830 --> 00:08:32,850 send a reset. 102 00:08:34,900 --> 00:08:37,840 Look, a lot of things can buy as a flag. 103 00:08:39,809 --> 00:08:43,620 I'm also giving ad5 flag to speed up the process. 104 00:08:48,430 --> 00:08:52,360 Then you can see that we have the result in the form of open at both. 105 00:08:58,750 --> 00:09:05,080 The other scandals are not in this case that were in a similar fashion as brain scans and eczema scans 106 00:09:05,080 --> 00:09:12,580 thin and urgently exhausted while in a scan a sequence of PCB packets with sequence zeros, inset and 107 00:09:12,580 --> 00:09:13,600 no flag set. 108 00:09:14,930 --> 00:09:17,330 We can launch another scan with some flag. 109 00:09:22,910 --> 00:09:27,410 Whereas an X scan is launched with the help of S x flag. 110 00:09:29,060 --> 00:09:30,890 Then you can see the posters. 111 00:09:37,650 --> 00:09:43,770 NW has a variety of skin types and you can check different types of skins by the number that I have 112 00:09:43,770 --> 00:09:44,160 shared. 113 00:09:45,000 --> 00:09:50,490 However, the most popular ones that are in use are detection and detection. 114 00:09:52,170 --> 00:09:55,200 Which are laws by dash a flag and dash or flag. 115 00:09:58,770 --> 00:10:04,560 So let's scan a target for the last time and check the different versions of the services that are running 116 00:10:04,560 --> 00:10:05,400 on the system. 117 00:10:08,360 --> 00:10:15,410 Bashir will check the system for the most popular options, including detection and detection, and 118 00:10:15,440 --> 00:10:18,230 SC will check the latest and map scripts. 119 00:10:21,490 --> 00:10:27,790 And you can see that this report is more detailed than our previous scans, and we can exactly see different 120 00:10:27,790 --> 00:10:30,790 versions of the different services that are running on the system. 121 00:10:37,800 --> 00:10:42,720 And we are going to target this vast FTP service to exploit the system. 122 00:10:48,080 --> 00:10:51,230 I hope you like this lecture and see you in the next lecture.