1 00:00:00,270 --> 00:00:06,510 ‫One of the very first steps in any network reconnaissance mission is to reduce a set of IP ranges into 2 00:00:06,510 --> 00:00:09,000 ‫a list of active or interesting hosts. 3 00:00:09,450 --> 00:00:17,190 ‫Scanning every port of every single IP address is slow and usually unnecessary in no port scan option. 4 00:00:18,060 --> 00:00:26,400 ‫Using an option which was known as S.P. in previous releases, you tell and map not to do a port scan 5 00:00:26,400 --> 00:00:33,210 ‫after host discovery and only print out the available hosts that responded to the host discovery probes. 6 00:00:33,300 --> 00:00:35,700 ‫This scan type is often known as a ping scan. 7 00:00:36,870 --> 00:00:40,290 ‫Systems administrators often find this option valuable as well. 8 00:00:40,890 --> 00:00:46,500 ‫It can easily be used to count available machines on a network or monitor server availability. 9 00:00:47,040 --> 00:00:53,370 ‫This is often called a ping suite and is more reliable than pinging the broadcast address because many 10 00:00:53,400 --> 00:00:55,710 ‫hosts do not reply to broadcast queries. 11 00:00:56,340 --> 00:01:01,920 ‫The default host discovery done with S.N. is executed by a privileged user it sends. 12 00:01:02,890 --> 00:01:05,020 ‫An ICMP echo request. 13 00:01:06,050 --> 00:01:08,900 ‫TCP syn packet to Port 443. 14 00:01:09,830 --> 00:01:12,200 ‫TCP X-Pac at the Port 80. 15 00:01:13,140 --> 00:01:16,500 ‫And an ICMP time request by default. 16 00:01:17,380 --> 00:01:24,370 ‫When executed by an unprivileged user, only sin packets are sent using a connect call the ports 80 17 00:01:24,550 --> 00:01:31,690 ‫and 443 on the target when a privileged user tries to scan targets on a local ethernet network, our 18 00:01:31,750 --> 00:01:35,350 ‫requests are used unless send IP were specified. 19 00:01:36,210 --> 00:01:42,330 ‫Let's perform the first and map scans of the course using Ping Scan, also known as no port scan and 20 00:01:42,330 --> 00:01:48,990 ‫map, is embedded in collie and defined in the path so you can run and map from anywhere just by typing 21 00:01:48,990 --> 00:01:50,490 ‫and map in a terminal screen. 22 00:01:50,790 --> 00:01:55,200 ‫When you type in map and hit enter, you get the help page of the map. 23 00:01:55,620 --> 00:02:00,150 ‫You can also look at the man page by typing men and map to learn more. 24 00:02:00,510 --> 00:02:03,120 ‫Let's build an and map command to perform a ping scan. 25 00:02:04,290 --> 00:02:10,560 ‫After the command itself and map, I first had the parameter to define the scan type as ping scan. 26 00:02:11,540 --> 00:02:14,480 ‫Note that the order of the parameters is not important and in. 27 00:02:15,890 --> 00:02:23,440 ‫Now, enter the only mandatory parameter IP address here, INR one seven two one six nine nine eight 28 00:02:23,540 --> 00:02:27,680 ‫zero slash two four network gurus already know what it is. 29 00:02:28,040 --> 00:02:35,030 ‫Keeping it very simple, it means the IP addresses between one seven two one six nine nine zero and 30 00:02:35,030 --> 00:02:38,510 ‫one seven two eight one six nine nine two five five. 31 00:02:39,600 --> 00:02:40,080 ‫That's enough. 32 00:02:40,740 --> 00:02:42,090 ‫Hit, enter and run the command. 33 00:02:45,140 --> 00:02:46,770 ‫And the results are in. 34 00:02:47,000 --> 00:02:52,940 ‫These are the hosts which are up, that means these are the systems that responded to our request. 35 00:02:53,900 --> 00:03:01,940 ‫Remember, from the previous slide, our requests are ICMP Echo Sin for Port 443, CQC Report 80 and 36 00:03:01,940 --> 00:03:03,790 ‫ICMP timestamp requests. 37 00:03:04,280 --> 00:03:10,130 ‫If the user is privileged, the IP addresses or the domain names of the systems are spread across a 38 00:03:10,130 --> 00:03:10,550 ‫line. 39 00:03:10,700 --> 00:03:15,980 ‫In most cases, we want to see the IP addresses of the host as a list to use and further scans. 40 00:03:16,910 --> 00:03:22,370 ‫So what can we do to see only the IP addresses of the live systems? 41 00:03:23,000 --> 00:03:26,750 ‫Well, we're going to use the power of the Linux Command Shell. 42 00:03:27,790 --> 00:03:33,310 ‫First, let's clear some lines of the result, which do not contain IP addresses, so we'll only have 43 00:03:33,310 --> 00:03:36,520 ‫the lines of IP addresses to be able to do this. 44 00:03:36,880 --> 00:03:39,670 ‫I'll use grep command with pipe. 45 00:03:40,540 --> 00:03:48,340 ‫Copy a static part of the IP lines, for example, and map scan and give it as a parameter of grep command. 46 00:03:48,940 --> 00:03:51,370 ‫Let me give you a little tip here if you're using a mouse. 47 00:03:51,910 --> 00:03:57,520 ‫Select a string in the terminal screen and press the middle button of the mouse to copy and paste the 48 00:03:57,520 --> 00:03:58,300 ‫selected part. 49 00:04:00,020 --> 00:04:03,170 ‫Now, we only have the lines which contain the IP addresses. 50 00:04:07,740 --> 00:04:10,830 ‫But wait a second, we have a domain name of a host. 51 00:04:11,340 --> 00:04:14,580 ‫Let's get rid of the domain name and see only the IP address of it. 52 00:04:15,590 --> 00:04:20,540 ‫And then map command and dash and parameter to avoid the name resolution. 53 00:04:20,900 --> 00:04:23,180 ‫So a map will display only the IP address. 54 00:04:24,240 --> 00:04:26,190 ‫Now we have the lines with IP addresses. 55 00:04:27,450 --> 00:04:32,430 ‫Now the second step is to clear the words in the lines to have only the IP addresses. 56 00:04:33,480 --> 00:04:36,150 ‫To do this will use a cut command of the Linux shell. 57 00:04:37,140 --> 00:04:37,950 ‫Type cut. 58 00:04:39,440 --> 00:04:44,500 ‫Delimiter here is the space character, give it with the D parameter. 59 00:04:48,710 --> 00:04:49,760 ‫IP is the. 60 00:04:51,800 --> 00:04:55,640 ‫Fifth field of the line, give it with F parameter. 61 00:04:56,630 --> 00:04:58,880 ‫Now we have the IP list of the live hosts.