1
00:00:00,060 --> 00:00:08,510
Port Scan with Nmap allows you to discover which TCP or UDP ports are open on your target host.

2
00:00:08,510 --> 00:00:14,420
Ports are the entry points to a machine that is connected to the Internet service that listens on a

3
00:00:14,420 --> 00:00:21,760
port is able to receive data from a client application process it and send a response back. Malicious

4
00:00:21,760 --> 00:00:27,410
client can sometimes exploit vulnerabilities in the server code. So they can gain access to sensitive

5
00:00:27,410 --> 00:00:32,360
data or execute malicious code on the machine remotely.

6
00:00:32,360 --> 00:00:38,690
That is why testing for all ports is necessary in order to achieve a thorough security verification

7
00:00:39,680 --> 00:00:45,920
Port scanning is usually done in the initial phase of a penetration test in order to discover all network

8
00:00:45,920 --> 00:00:53,150
entry points into the target system.Port scan takes the biggest part of our Nmap lectures. In "

9
00:00:53,150 --> 00:00:56,060
the most basic port scan types" lectures, we

10
00:00:56,060 --> 00:01:05,990
we see the followings: Nmap options of the port scanning, SYN scan, TCP scan, comparison between the SYN Scan and TCP Scan.

11
00:01:06,110 --> 00:01:11,830
TCP Scan,  UDP scan and some other types of port scan.

12
00:01:12,680 --> 00:01:19,010
SYN scan is the default and most popular scan option for good reasons. It can be performed quickly,

13
00:01:19,070 --> 00:01:25,020
scanning thousands of ports per second on a vast network not block by restrictive firewalls.

14
00:01:25,790 --> 00:01:31,250
It's also relatively stealthy since it never completes TCAP connections.

15
00:01:31,280 --> 00:01:37,450
It also allows clear reliable differentiation between open closed and filtered States.

16
00:01:38,060 --> 00:01:44,130
This technique is often referred to as half open scanning because you don't open a full TCP connection

17
00:01:45,860 --> 00:01:51,380
You send a SYN packet, as if you are going to open a real connection and then wait for a response.

18
00:01:52,370 --> 00:02:00,350
A SYN/ACK indicates the port is listening (open), while a RST (reset) is indicative of a non-­listener.

19
00:02:01,070 --> 00:02:07,630
If no response is received after several retransmissions, or an ICMP unreachable error is received,

20
00:02:07,670 --> 00:02:13,180
the port is marked as filtered. If you receive a SYN/ACK from the target system,

21
00:02:13,520 --> 00:02:19,570
you send RST instead of ACK packet and you do not complete the three-­way handshake.

22
00:02:19,570 --> 00:02:28,920
Let’s perform a Nmap SYN scan in our virtual network.  Go to Kali and open a terminal screen.

23
00:02:28,920 --> 00:02:32,350
First, let’s look at the IP address of Kali to understand the IP block.

24
00:02:33,350 --> 00:02:37,520
Here, my IP block is 172.16.99

25
00:02:37,820 --> 00:02:43,410
This is because the netmask is 255.255.255.0

26
00:02:43,430 --> 00:02:46,730
I don’t want to go further in network basics in this course.

27
00:02:46,910 --> 00:02:47,420
You know what.

28
00:02:47,430 --> 00:02:48,490
Okay fine.

29
00:02:48,800 --> 00:02:53,600
I’m going to add an IP v4 document to the course resources.

30
00:02:53,600 --> 00:02:58,880
Let’s create the SYN scan command: nmap is the command itself,

31
00:02:59,880 --> 00:03:06,560
­sS is to SYN scan. Since it’s default scan type for privileged users and I’m already privileged user

32
00:03:06,560 --> 00:03:07,850
user in Cali.

33
00:03:07,970 --> 00:03:12,290
This parameter is not necessary for a SYN scan.

34
00:03:12,320 --> 00:03:19,570
Now is the target IP block: 172.16.99.0/24.

35
00:03:19,730 --> 00:03:28,070
As we talked before, this is the IP address block from 172.16.99.0

36
00:03:28,310 --> 00:03:31,920
and 172.16.99.255

37
00:03:31,950 --> 00:03:36,080
Let’s keep it fast, scan for the top 50 ports. I use

38
00:03:36,260 --> 00:03:43,500
I use top ports parameter for this purpose and hit enter.

39
00:03:43,600 --> 00:03:45,320
Now let's look at the scan results.

40
00:03:45,490 --> 00:03:52,630
Here we have the computers who have the IP addresses 172.16.99.1 and 2.

41
00:03:52,930 --> 00:03:59,410
These are the gateway and DNS server for my virtual network, vmnet. Ignore them for now.

42
00:03:59,430 --> 00:04:02,240
In fact one is my host machine at the same time.

43
00:04:02,280 --> 00:04:07,570
Here there is a system and the it’s open ports in top 50.

44
00:04:07,570 --> 00:04:08,630
There's another machine.

45
00:04:08,670 --> 00:04:11,170
And of course it's open ports.

46
00:04:20,529 --> 00:04:26,820
Machine with IP 254 is the DHCP server of my vmnet. Ignore that as well.

47
00:04:27,020 --> 00:04:30,520
And last machine found is the Kali itself.

48
00:04:31,040 --> 00:04:31,560
OK.

49
00:04:31,700 --> 00:04:35,690
OK, let’s open Wireshark and see what’s happening when a SYN scan is performed:

50
00:04:36,680 --> 00:04:44,300
Run wireshark first.  Double click eth0 to start to listen that interface. Skip the packets

51
00:04:44,300 --> 00:04:46,310
which we are not interested in.

52
00:04:46,340 --> 00:04:47,840
I add a filter.

53
00:04:47,840 --> 00:04:55,940
I only want to see the traffic from my destination computer 172.16.99.139 and I want to see the TCP traffic only.

54
00:04:55,940 --> 00:05:03,400
TCP traffic only. Clicked the blue arrow next to the filter bar to activate the filter. OK.

55
00:05:03,420 --> 00:05:05,960
Now go to the terminal screen.

56
00:05:06,110 --> 00:05:10,760
I’d like to analyse the SYN scan packets for an open port first.

57
00:05:11,000 --> 00:05:15,910
172.16.99.139 is my destination system,

58
00:05:16,220 --> 00:05:23,500
and I know that port 80 of that system is open. Hit enter and run the nmap query.

59
00:05:23,500 --> 00:05:26,820
Yes, the port is open as I remember.

60
00:05:26,930 --> 00:05:29,300
Go back to Wireshark.

61
00:05:29,350 --> 00:05:35,530
I want to stop Wireshark by clicking red square at the upper left corner to avoid unwanted packets.

62
00:05:35,530 --> 00:05:37,700
So here we have three packets.

63
00:05:38,020 --> 00:05:44,560
The first packet is from an arbitrary port of Kali to the 80th port of the system 139

64
00:05:44,560 --> 00:05:45,910
the destination  system

65
00:05:45,910 --> 00:05:49,390
It is a packet to start a three way handshake.

66
00:05:49,590 --> 00:05:54,420
Second packet is a SYN/ACK sent by the destination system.

67
00:05:54,420 --> 00:06:00,900
The third packet is a RST sent by Kali. Because it’s a SYN scan, the 3-­way handshake is not completed

68
00:06:01,020 --> 00:06:03,680
and corrupted by a RST packet.

69
00:06:03,690 --> 00:06:09,750
Now I restart the wireshark packet capturing to clean it screen by clicking the upper left blue button.

70
00:06:09,930 --> 00:06:18,160
OK so this time I scan a close port for example port 81.

71
00:06:18,370 --> 00:06:22,870
Now, the first packet is again a SYN packet to start the 3-­way handshake again.

72
00:06:23,170 --> 00:06:28,390
The source system is Kali and the destination system is again 139.

73
00:06:28,640 --> 00:06:35,150
The second packet is, for this scan, a RST packet. Because the port 81 is closed, the destination

74
00:06:35,150 --> 00:06:38,200
the destination system sent us a RST packet.

75
00:06:38,420 --> 00:06:44,280
Let’s see how Nmap interprets the results of SYN scan:
When we send SYN packet,

76
00:06:44,640 --> 00:06:49,670
the destination system replies a SYN/ACK packet to show that it’s ready for a connection.

77
00:06:50,650 --> 00:06:59,700
And we send RST to corrupt the hand shake. Nmap interprets this result as the port is open.

78
00:06:59,770 --> 00:07:07,940
If the destination system replies a RST packet for our SYN packet, that means: the port is accessible,

79
00:07:07,940 --> 00:07:09,670
but it’s closed.

80
00:07:09,700 --> 00:07:16,490
If the destination system doesn’t respond to our SYN packet, Nmap thinks that the packet is dropped,

81
00:07:16,490 --> 00:07:20,650
or, filtered. It’s a common behaviour of the firewalls.

82
00:07:20,780 --> 00:07:28,400
If the destination system replies an ICMP unreachable packet for our SYN packet, again it’s interpreted as “filtered”.

83
00:07:28,400 --> 00:07:29,370
filtered.

84
00:07:29,390 --> 00:07:31,310
This is another type of firewall behaviour.