1
00:00:00,330 --> 00:00:06,510
One of the very first steps in any network reconnaissance mission is to reduce a set of IP ranges into

2
00:00:06,510 --> 00:00:14,070
a list of active or interesting host scanning every part of every single IP address it's slow and usually

3
00:00:14,070 --> 00:00:15,210
unnecessary.

4
00:00:15,610 --> 00:00:21,590
In No Port Scan option, using -­sn option which was known as -­sP.

5
00:00:21,600 --> 00:00:29,430
In previous releases, you tell Nmap not to do a port scan after host discovery, and only print out

6
00:00:29,430 --> 00:00:35,280
the available hosts that responded to the host discovery probes. This scan type is often known as a “ping scan”.

7
00:00:35,280 --> 00:00:40,910
Systems administrators often find this option valuable as well.

8
00:00:40,960 --> 00:00:47,020
It can easily be used to count available machines on a network or monitor server availability.

9
00:00:47,060 --> 00:00:53,380
This is often called a ping suite and is more reliable than pinging the broadcast address because many

10
00:00:53,380 --> 00:00:56,050
hosts do not reply to broadcast queries.

11
00:00:56,380 --> 00:01:01,150
The default host discovery done with -­sn is executed by a privileged user, it sends

12
00:01:01,390 --> 00:01:15,310
an ICMP echo request, TCP SYN packet to port 443, TCP ACK packet to port 80, and an ICMP timestamp

13
00:01:15,310 --> 00:01:16,630
request by default.

14
00:01:17,450 --> 00:01:24,770
When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443

15
00:01:24,770 --> 00:01:26,880
443 on the target.

16
00:01:26,960 --> 00:01:33,410
When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless

17
00:01:33,720 --> 00:01:36,040
send -­IP  was specified.

18
00:01:36,280 --> 00:01:42,670
Let’s perform the first Nmap scans of the course using Ping Scan, also known as, no port scan. Nmap

19
00:01:43,030 --> 00:01:45,560
is embedded in Kali and defined in the path,

20
00:01:45,940 --> 00:01:51,940
so you can run Nmap from anywhere by just typing “nmap” in a terminal screen. When you type nmap

21
00:01:51,940 --> 00:01:53,590
and hit enter.

22
00:01:53,590 --> 00:01:55,620
You get the help page of the map.

23
00:01:55,660 --> 00:02:00,540
You can also look at the man page by typing men and map to learn more.

24
00:02:00,550 --> 00:02:06,860
Let’s build an nmap command to perform a ping scan:
After the command itself, nmap,

25
00:02:06,970 --> 00:02:11,570
I first add the parameter to define the scan type as ping scan.

26
00:02:11,580 --> 00:02:18,180
Note that the order of the parameters is not important in Nmap.  •	Now, enter the only mandatory parameter:

27
00:02:18,270 --> 00:02:28,040
IP address. Here I enter 172.16.99.0/24. Network gurus already know what it is.

28
00:02:28,110 --> 00:02:39,450
Keeping it very simple, it means, the IP addresses between 172.16.99.0 and 172.16.99.255

29
00:02:39,640 --> 00:02:40,780
That's enough.

30
00:02:40,810 --> 00:02:42,040
Hit enter and run the command

31
00:02:45,170 --> 00:02:47,060
and the results are in.

32
00:02:47,060 --> 00:02:49,470
These are the hosts which up.

33
00:02:49,670 --> 00:02:55,550
That means these are the systems that responded to our request. Remember from the previous slide,

34
00:02:55,620 --> 00:03:04,330
our requests are ICMP echo, SYN for port 443, ACK for port 80 and ICMP timestamp requests,

35
00:03:04,350 --> 00:03:10,760
if the user is privileged. the IP addresses or the domain names of the systems are spread across a line.

36
00:03:10,770 --> 00:03:16,800
In most cases we want to see the IP addresses of the hosts as a list to use in further scans.

37
00:03:16,950 --> 00:03:22,690
So what can we do to see only the IP addresses of the live systems.

38
00:03:23,070 --> 00:03:29,970
Well we're going to use the power of the Linux command shell. First let's clear some lines of the result

39
00:03:30,000 --> 00:03:36,920
which do not contain IP addresses. So will only have the lines of IP addresses to be able to do this.

40
00:03:36,930 --> 00:03:45,710
I’ll use “grep” command with “pipe”. Copy a static part of the IP lines, for example, “Nmap scan”, and give

41
00:03:45,710 --> 00:03:48,640
it as the parameter of grep command.

42
00:03:48,980 --> 00:03:51,820
Let me give you a little tip here if you're using a mouse.

43
00:03:51,920 --> 00:03:57,530
Select a string in the terminal screen and press the middle button of the mouse to copy and paste the

44
00:03:57,530 --> 00:04:00,080
selected part.

45
00:04:00,080 --> 00:04:07,710
Now we only have the lines which contain the IP addresses.

46
00:04:07,800 --> 00:04:11,320
But wait a second we have a domain name of a host.

47
00:04:11,370 --> 00:04:14,700
Let's get rid of the domain name and see only the IP address of it.

48
00:04:15,650 --> 00:04:20,769
In nmap command, add -­n parameter to avoid the name resolution, so

49
00:04:20,940 --> 00:04:24,290
so  nmap will display only the IP address.

50
00:04:24,290 --> 00:04:27,440
Now we have the lines with IP addresses.

51
00:04:27,490 --> 00:04:34,210
Now the second step is to clear the wo  rds in the lines to have only the IP address. To do this, we’ll

52
00:04:34,200 --> 00:04:36,230
use the “cut” command of the Linux shell.

53
00:04:39,410 --> 00:04:40,070
Delimiter.

54
00:04:40,070 --> 00:04:44,450
Here is the space character give it with the ­d parameter.

55
00:04:48,760 --> 00:04:56,700
IP is the 5th field of the line, give it with ­f parameter.

56
00:04:56,700 --> 00:04:59,040
Now we have the IP list of live hosts.