1
00:00:00,240 --> 00:00:06,060
‫Since Cannes is the default and the most popular scan option for good reasons, it can be performed

2
00:00:06,060 --> 00:00:12,180
‫quickly, scanning thousands of ports per second on a fast network not blocked by restrictive firewalls.

3
00:00:13,350 --> 00:00:17,670
‫It's also relatively stealthy since it never completes TCP connections.

4
00:00:18,810 --> 00:00:24,570
‫It also allows clear, reliable differentiation between open, closed and filtered states.

5
00:00:25,610 --> 00:00:31,760
‫This technique is often referred to as half open scanning because you don't open a full TCP connection.

6
00:00:33,400 --> 00:00:38,620
‫You send us in packet as if you're going to open a real connection and then wait for a response.

7
00:00:39,900 --> 00:00:47,970
‫A cynic indicates the board is listening or open while a wrist reset is indicative of a non listener.

8
00:00:48,630 --> 00:00:55,350
‫If no response is received after several retransmission or an ICMP unreachable error is received, the

9
00:00:55,350 --> 00:00:56,790
‫board is marked as filtered.

10
00:00:57,880 --> 00:01:04,210
‫If you receive a snack from the target system, you send receipt instead of the egg packet and you do

11
00:01:04,210 --> 00:01:06,070
‫not complete the three way handshake.

12
00:01:07,130 --> 00:01:11,480
‫OK, so let's perform an end map sin scan in our virtual network.

13
00:01:13,390 --> 00:01:15,820
‫Go to Carly and open the terminal screen.

14
00:01:16,480 --> 00:01:19,900
‫First, let's look at the IP address of Carly to understand the IP block.

15
00:01:20,910 --> 00:01:24,650
‫Here's my IP block is one seven two eight one six nine nine.

16
00:01:25,350 --> 00:01:30,450
‫Is it because that netmask is 255.255.255.0?

17
00:01:30,900 --> 00:01:35,220
‫Let's create this in scan command and map is the command itself.

18
00:01:36,350 --> 00:01:42,980
‫S capital s is to since Cannes, since it's the default skin type for privileged users, and I'm already

19
00:01:42,980 --> 00:01:44,150
‫a privilege user and colleague.

20
00:01:44,420 --> 00:01:47,480
‫This parameter is not necessary for a since Cannes.

21
00:01:48,760 --> 00:01:50,980
‫Now here is a target IP block.

22
00:01:51,190 --> 00:01:55,690
‫One seven, two one six nine nine zero 24.

23
00:01:56,170 --> 00:02:02,110
‫As we've talked about before, remember this is the IP address block from one seven two one six nine

24
00:02:02,110 --> 00:02:03,130
‫nine zero.

25
00:02:03,430 --> 00:02:08,380
‫Right the way through one seven two one six nine nine two five five.

26
00:02:08,410 --> 00:02:12,220
‫And let's give it a fast scan for just a top 50 ports.

27
00:02:12,700 --> 00:02:16,930
‫I use top ports parameter for this purpose and hit enter.

28
00:02:20,050 --> 00:02:21,490
‫Now, let's look at the scan results.

29
00:02:21,910 --> 00:02:28,000
‫Here we have the computers who have the IP addresses one seven two one six nine, nine point one and

30
00:02:28,000 --> 00:02:28,450
‫two.

31
00:02:29,380 --> 00:02:33,510
‫These are the Gateway and the DNS server for my virtual network VM.

32
00:02:33,940 --> 00:02:34,960
‫Ignore them for now.

33
00:02:35,840 --> 00:02:38,670
‫In fact, one is my host machine at the same time.

34
00:02:38,690 --> 00:02:42,500
‫Here there is a system and the open ports are in the top 50.

35
00:02:43,730 --> 00:02:45,050
‫Well, look, there's another machine.

36
00:02:45,080 --> 00:02:47,390
‫And of course, it's open ports.

37
00:02:56,980 --> 00:03:03,100
‫The machine with two, five four is the DHP server of my vim that so ignore that as well.

38
00:03:03,430 --> 00:03:06,490
‫And the last machine found is the Colly itself.

39
00:03:07,480 --> 00:03:12,040
‫OK, let's open Wireshark and see what's happening when a Sen scan is performed.

40
00:03:13,090 --> 00:03:18,610
‫Run Wireshark first double click eth0 to start to listen to that interface.

41
00:03:19,600 --> 00:03:22,330
‫Now to skip the packets, which we are not interested in.

42
00:03:22,780 --> 00:03:23,650
‫I had a filter.

43
00:03:24,280 --> 00:03:26,980
‫I only want to see the traffic for my destination computer.

44
00:03:27,280 --> 00:03:30,610
‫One seven two eight one six nine nine one three nine.

45
00:03:31,510 --> 00:03:33,790
‫And I want to see the TCP traffic only.

46
00:03:34,870 --> 00:03:38,140
‫Click the blue arrow next to the filter bar to activate the filter.

47
00:03:39,350 --> 00:03:41,420
‫OK, now go to the terminal screen.

48
00:03:42,550 --> 00:03:50,200
‫I'd like to analyze this in scan packets for an open port first one seven two one six nine nine one

49
00:03:50,200 --> 00:03:52,210
‫three nine is my destination system.

50
00:03:52,630 --> 00:03:56,110
‫And I know that Port 80 of that system is open.

51
00:03:57,380 --> 00:03:59,510
‫Hit, enter and run the map query.

52
00:04:00,020 --> 00:04:01,940
‫Yep, port is open, just as I remember.

53
00:04:03,380 --> 00:04:04,850
‫So now go back to Wireshark.

54
00:04:05,790 --> 00:04:11,700
‫I want to stop Wireshark by clicking the Red Square, the upper left corner, to avoid unwanted packets.

55
00:04:12,000 --> 00:04:13,560
‫So here we have three packets.

56
00:04:14,460 --> 00:04:20,040
‫The first packet is from an arbitrary port of call to the 80th port of the system one three nine.

57
00:04:20,310 --> 00:04:24,870
‫The destination system it is a send packet to start the three way handshake.

58
00:04:26,040 --> 00:04:29,970
‫The second packet is a snack sent by the destination system.

59
00:04:30,840 --> 00:04:34,800
‫The third packet is a receipt sent by Kali because it's a sin scan.

60
00:04:35,370 --> 00:04:39,090
‫The three way handshake is not completed and corrupted by a risk packet.

61
00:04:40,130 --> 00:04:46,040
‫Now I restart the Wireshark packet, capturing to clean it screen by clicking the upper left blue button.

62
00:04:46,370 --> 00:04:50,770
‫OK, so this time I scan a closed port, for example, Port 81.

63
00:04:54,790 --> 00:04:58,870
‫Now, the first packet is a SoundScan packet to start the three way handshake again.

64
00:04:59,620 --> 00:05:03,940
‫The sewer system is Carly and the destination system is again one three nine.

65
00:05:05,080 --> 00:05:10,930
‫The second packet is for the scan, a receipt packet because Port 81 is closed.

66
00:05:11,590 --> 00:05:14,260
‫The destination system sent us a receipt packet.

67
00:05:14,860 --> 00:05:17,740
‫Let's see how an map interprets the results have since scan.

68
00:05:19,140 --> 00:05:25,530
‫When we send a send back, the destination system replies a snack packet to show that it's ready for

69
00:05:25,530 --> 00:05:26,040
‫a connection.

70
00:05:27,070 --> 00:05:32,620
‫And we send risk to corrupt the handshake and map interprets this result as.

71
00:05:34,160 --> 00:05:35,060
‫The port is open.

72
00:05:36,200 --> 00:05:41,210
‫If the destination system replies a respect for our sin packet, that means.

73
00:05:42,620 --> 00:05:44,950
‫The board is accessible, but it's close.

74
00:05:46,120 --> 00:05:49,360
‫If the destination system doesn't respond to our sin packet.

75
00:05:50,890 --> 00:05:53,710
‫And Mapp thinks that the packet has dropped or filtered.

76
00:05:54,220 --> 00:05:56,320
‫It's a common behavior of the firewalls.

77
00:05:57,190 --> 00:06:04,540
‫If the destination system replies and ICMP unreachable packet for us in packet again, it's interpreted

78
00:06:04,540 --> 00:06:05,380
‫as filtered.

79
00:06:05,830 --> 00:06:07,810
‫This is another type of firewall behavior.