1
00:00:00,060 --> 00:00:04,370
‫Well, what do open, closed or filtered actually mean?

2
00:00:04,410 --> 00:00:10,260
‫Let's take a closer look at the results of and map when Map sends packets to a port and receives a positive

3
00:00:10,260 --> 00:00:10,830
‫response.

4
00:00:11,310 --> 00:00:17,760
‫The port is assigned the state of open, for example, since Scan receives a snack from the destination

5
00:00:17,760 --> 00:00:19,320
‫system if the port is open.

6
00:00:20,540 --> 00:00:25,220
‫If Unmapped determines that a port is not available, it assigns it the closed state.

7
00:00:26,030 --> 00:00:31,460
‫This signifies it, and map has received a result that clearly shows that the port is closed.

8
00:00:32,210 --> 00:00:37,880
‫A sign scan receiving a receipt in response to a port query is an example of a closed port.

9
00:00:39,020 --> 00:00:44,990
‫Filtered port are the result of a packet filter or firewall when no response at all is received from

10
00:00:44,990 --> 00:00:45,830
‫the remote device.

11
00:00:46,700 --> 00:00:52,880
‫The port is considered to be filtered since the response isn't received from the port, and Map often

12
00:00:52,880 --> 00:00:59,510
‫retrieves communication to the port to ensure that the packet wasn't simply dropped due to error or

13
00:00:59,510 --> 00:01:00,110
‫congestion.

14
00:01:00,920 --> 00:01:04,820
‫Please note that this type of response is categorised differently.

15
00:01:05,150 --> 00:01:12,790
‫If this is a different scan type, such as a UDP scan or a fin scan, the next result open filtered

16
00:01:12,800 --> 00:01:13,610
‫is coming in a minute.

17
00:01:14,090 --> 00:01:21,170
‫On the other hand, if the destination systems return an unexpected response again, the port is considered

18
00:01:21,170 --> 00:01:21,830
‫to be filtered.

19
00:01:22,970 --> 00:01:28,430
‫If we get an ICMP unreachable response, in a sense scan, the port is flagged as filtered.

20
00:01:29,090 --> 00:01:34,730
‫Now, in some cases, the lack of a response may not necessarily mean that a port is filtered.

21
00:01:35,420 --> 00:01:42,290
‫Lack of a response might mean that the port might also be open now in these situations, and map signifies

22
00:01:42,290 --> 00:01:44,660
‫that the port is either filtered or open.

23
00:01:45,410 --> 00:01:51,710
‫For example, in a UDP connection, in most cases, the destination system does not send a response

24
00:01:51,710 --> 00:01:53,480
‫when it receives a UDP packet.

25
00:01:54,380 --> 00:02:01,190
‫So if the destination system does not respond and map categorizes it as open, filtered makes sense.

26
00:02:02,360 --> 00:02:06,440
‫In this slide, you see some of the most known default ports.

27
00:02:07,470 --> 00:02:08,370
‫So here's the question.

28
00:02:08,640 --> 00:02:14,520
‫If the Port 22 is open, is the service running there absolutely and S-H?

29
00:02:15,150 --> 00:02:16,410
‫Could there be another service?

30
00:02:17,370 --> 00:02:20,460
‫Well, these are the default port numbers of the services.

31
00:02:20,880 --> 00:02:23,160
‫You can run any service in any port.

32
00:02:23,940 --> 00:02:27,480
‫You can run FTP on Port 22, for example.

33
00:02:28,050 --> 00:02:31,590
‫But for the ease of use, the default ports are used in general.

34
00:02:31,920 --> 00:02:36,840
‫So if you're performing a pen test, you should probably look at the well-known ports first.

35
00:02:36,870 --> 00:02:39,240
‫But you should never just scan the default port.

36
00:02:40,670 --> 00:02:42,830
‫There are different ways to scan ports within map.

37
00:02:43,840 --> 00:02:45,310
‫Let's see how we can scan ports.

38
00:02:46,430 --> 00:02:49,280
‫Let's prepare a synth scan for a Metasploit able device.

39
00:02:49,970 --> 00:02:56,090
‫The IP address of my Metasploit bill is one seven two one six nine nine eight two zero six.

40
00:02:57,270 --> 00:03:04,020
‫If you do not use any one of the port scanning parameters, top 1000 ports are scan, top ports are

41
00:03:04,020 --> 00:03:05,910
‫the most used ports in general.

42
00:03:07,270 --> 00:03:11,140
‫The first way of choosing the ports to scan is using parameter.

43
00:03:12,190 --> 00:03:14,530
‫After entering the scan type and target IP.

44
00:03:19,310 --> 00:03:21,560
‫Enter the port numbers with P parameter.

45
00:03:22,550 --> 00:03:29,600
‫You can at airports one by one, separated by a comma, or you can give a range of ports by putting

46
00:03:29,870 --> 00:03:39,440
‫a dash between the port numbers in this example, the ports 20 to 80 and the ports between 100 and 200

47
00:03:39,440 --> 00:03:39,950
‫are scanned.

48
00:03:41,670 --> 00:03:46,620
‫If you perform both TCP scan and UDP scan in a single Nmap query.

49
00:03:47,670 --> 00:03:53,040
‫You can choose both the EDP ports and the TCP ports using parameter.

50
00:03:53,940 --> 00:03:58,680
‫For this end map, scan will use both in the scan and UDP scan at the same time.

51
00:03:59,070 --> 00:04:04,890
‫We haven't seen it yet, but the UDP scan is performed using less capital you parameter.

52
00:04:05,190 --> 00:04:08,400
‫And as you know, the signs scan is a type of TCP scan.

53
00:04:08,940 --> 00:04:12,210
‫After entering the target IP put Dash P.

54
00:04:13,430 --> 00:04:22,190
‫One or TCP ports put uppercase T with a colon just after the parameter P and the TCP ports to scan.

55
00:04:23,200 --> 00:04:29,380
‫Sam is giving port numbers directly with parameter, you can enter ports one by one separated by a comma.

56
00:04:29,800 --> 00:04:33,670
‫Or you can give a range of ports by putting a dash between the port numbers.

57
00:04:34,850 --> 00:04:41,840
‫To specify the UDP ports put you as a no case, you with a colon and the ports with the same format.

58
00:04:42,930 --> 00:04:51,060
‫For this example, let's scan the TCP ports 22 and 80 and the UDP ports 53 and the ports between 139

59
00:04:51,060 --> 00:04:51,870
‫and 150.

60
00:04:53,040 --> 00:04:56,730
‫So here are the results TCP ports first and then UDP ports.

61
00:04:58,380 --> 00:05:04,620
‫Another way to specify the ports is using top ports parameter using this with the number of ports that

62
00:05:04,620 --> 00:05:05,430
‫will be scanned.

63
00:05:06,030 --> 00:05:12,120
‫You can scan the top ports within this parameter, so let's scan top 20 ports, for this example.

64
00:05:13,000 --> 00:05:16,300
‫So here are the top result of the most used 20 ports.

65
00:05:17,660 --> 00:05:23,810
‫If you use uppercase F, which means fast scan, top 100 ports are scanned.

66
00:05:24,790 --> 00:05:29,070
‫So let's perform an end map since scan with f parameter here.

67
00:05:34,060 --> 00:05:40,060
‫And open another terminal screen and perform another end map scan using top ports, 100 parameter.

68
00:05:48,100 --> 00:05:52,360
‫As you see, we get the same result because these are the same queries.

69
00:05:54,680 --> 00:05:57,050
‫If you'd like to scan all the ports of the system.

70
00:05:58,250 --> 00:06:01,400
‫Well, you should scan all the ports of the systems and append test.

71
00:06:01,970 --> 00:06:05,970
‫You have to use the P parameter with the interval from one to 65.

72
00:06:06,020 --> 00:06:06,920
‫Five three five.

73
00:06:07,910 --> 00:06:09,950
‫This is a range of possible port numbers.

74
00:06:11,240 --> 00:06:14,870
‫Prepare the map since can query with a destination IP address.

75
00:06:15,380 --> 00:06:19,760
‫Now put P1 Dash six five five three five.

76
00:06:23,590 --> 00:06:24,340
‫And hid in her.

77
00:06:26,620 --> 00:06:28,870
‫Here are all the open ports of Metasploit among.

78
00:06:30,890 --> 00:06:37,130
‫By default, and Map does host Discovery and then performs a port scan against each host it determines

79
00:06:37,130 --> 00:06:37,790
‫is online.

80
00:06:39,080 --> 00:06:46,250
‫If you use pen in the end query, you skip host discovery and port scan all target hosts.

81
00:06:47,200 --> 00:06:53,110
‫Disabling host discovery with -- causes and map to attempt the requested scanning functions against

82
00:06:53,110 --> 00:06:55,180
‫every target IP address specified.

83
00:06:55,840 --> 00:07:00,790
‫So if a Class C target address space, that means 24 is specified on the command line.

84
00:07:01,180 --> 00:07:03,940
‫All 255 IP addresses are scanned.

85
00:07:04,930 --> 00:07:06,100
‫Why would we want to do this?

86
00:07:06,400 --> 00:07:13,940
‫As you know, if you were a privileged user in maps and four types of packets to discover hosts, expect

87
00:07:13,940 --> 00:07:17,680
‫a request send packet to TCP 443 port.

88
00:07:18,670 --> 00:07:23,920
‫Backpack it to TCP 80 port and ICMP time stamp request.

89
00:07:25,900 --> 00:07:33,160
‫If the system is configured not to answer to ICMP requests and if the ports 80 and 443 are filtered,

90
00:07:33,640 --> 00:07:37,300
‫then that map thinks that the host is down even if it's up.

91
00:07:37,420 --> 00:07:43,240
‫If you find a system which is not found by pings can always use PM for further port scans.

92
00:07:43,810 --> 00:07:49,000
‫Otherwise, and Map doesn't perform the port scan because it assumes that the host is not up.

93
00:07:49,510 --> 00:07:56,350
‫So if your network is not big or if you don't have enough time to scan, you should skip the ping scan

94
00:07:56,350 --> 00:07:59,290
‫and run the port scans for every possible IP address.

95
00:08:00,280 --> 00:08:06,880
‫Use a port scan instead of ping scan if you were scanning a server block because those systems are configured

96
00:08:06,880 --> 00:08:09,310
‫to be more secure than usual.

97
00:08:09,970 --> 00:08:13,020
‫Then you can find more computers than the ping scans do.

98
00:08:14,100 --> 00:08:14,970
‫You're halfway there.