1
00:00:00,210 --> 00:00:07,770
‫TCP scan, also known as TCP Connect Scan, is the default TCP scan type when Sin Scan is not an option.

2
00:00:09,090 --> 00:00:11,820
‫Well, when is this is again, not an option?

3
00:00:11,850 --> 00:00:15,640
‫Do you remember the trip of data packet on a DNS query in that lecture?

4
00:00:15,660 --> 00:00:20,670
‫I said that layer three and layer four packets are managed by the operating system of your device.

5
00:00:21,060 --> 00:00:25,800
‫That means user does not interfere with the TCP three way handshake.

6
00:00:25,890 --> 00:00:29,160
‫The whole process is managed by the operating system itself.

7
00:00:30,030 --> 00:00:36,510
‫In a sense, can we interrupt the three way handshake and don't send the last act packet to complete

8
00:00:36,510 --> 00:00:37,110
‫the handshake?

9
00:00:38,230 --> 00:00:43,310
‫You have to be a privileged user to be able to interrupt the handshake if you're not a privileged user.

10
00:00:43,330 --> 00:00:44,410
‫You cannot interrupt.

11
00:00:44,560 --> 00:00:47,920
‫Three way handshake and cannot perform a sin scan as well.

12
00:00:48,190 --> 00:00:54,220
‫So instead of writing raw packets as most other scan types do, which needs admin privilege and map,

13
00:00:54,550 --> 00:01:00,730
‫asks the underlying operating system to establish a connection with a target machine in port by issuing

14
00:01:00,730 --> 00:01:02,780
‫the native connect system call.

15
00:01:03,580 --> 00:01:07,510
‫So you don't need to be a privileged user to perform TCP Connect scans.

16
00:01:08,970 --> 00:01:15,210
‫When since scan is available, it is usually a better choice and Map has less control over the high

17
00:01:15,210 --> 00:01:18,720
‫level connect call than with raw packets making it less efficient.

18
00:01:19,350 --> 00:01:24,990
‫The system call completes connections to open target ports rather than performing the half open reset

19
00:01:25,260 --> 00:01:26,310
‫that since scanned does.

20
00:01:27,390 --> 00:01:32,730
‫Not only does this take longer and require more packets to obtain the same information, but target

21
00:01:32,730 --> 00:01:36,090
‫machines are more likely to log the connection not to stealthy.

22
00:01:38,050 --> 00:01:43,930
‫The steps of TCP connection scan is exactly the same as DHCP three way handshake.

23
00:01:44,770 --> 00:01:50,110
‫You send the send packet to open a real connection and then wait for a response.

24
00:01:51,380 --> 00:01:59,660
‫A sinek response indicates the port is listening or open while a wrist reset is indicative of a non

25
00:01:59,660 --> 00:02:00,140
‫listener.

26
00:02:01,190 --> 00:02:08,870
‫If no response is received after several Re transmissions or an ICMP unreachable errors received, the

27
00:02:08,870 --> 00:02:10,100
‫port is marked as filtered.

28
00:02:11,540 --> 00:02:17,180
‫If you receive a snack from the target system, you send an egg packet to complete the three way handshake.

29
00:02:18,300 --> 00:02:21,750
‫Since we have nothing to say at the moment, we send risk to end the conversation.

30
00:02:22,230 --> 00:02:27,830
‫Let's see what happens under the hood when we perform a TCP scam and then compare the sins scan with

31
00:02:27,840 --> 00:02:28,800
‫a TCP scan.

32
00:02:29,740 --> 00:02:34,060
‫Let's perform an end map TCP scan in our virtual network first.

33
00:02:36,420 --> 00:02:38,760
‫Go to Carly and open a terminal, scream.

34
00:02:39,660 --> 00:02:41,730
‫I want to scan my Metasploit voidable system.

35
00:02:42,570 --> 00:02:44,490
‫So let's check if the host is up first.

36
00:02:45,270 --> 00:02:52,740
‫I know the IP address of my Metasploit voidable VM, so type ping one seven two one six nine nine two

37
00:02:52,740 --> 00:02:54,450
‫zero six and hit enter.

38
00:02:54,840 --> 00:02:57,540
‫OK, we received response packets.

39
00:02:57,570 --> 00:02:58,440
‫The system is up.

40
00:02:58,890 --> 00:03:05,940
‫Let's create the TCP scan command and map is the command itself as uppercase T is TCP scan.

41
00:03:07,470 --> 00:03:15,870
‫MN is to avoid the DNS resolution, I'd like to see the IP addresses uppercase pen is to avoid the host

42
00:03:15,870 --> 00:03:16,500
‫discovery.

43
00:03:16,950 --> 00:03:21,630
‫I already know that the host is up, although you should make it a habit to use pen while you're scanning

44
00:03:21,630 --> 00:03:22,500
‫a single system.

45
00:03:22,950 --> 00:03:29,040
‫Now we have the target IP address one seven two one six nine nine two zero six.

46
00:03:29,580 --> 00:03:33,480
‫And let's keep it fast scan for the top ten ports only.

47
00:03:34,260 --> 00:03:38,580
‫I use top ports parameter for this purpose and hit enter.

48
00:03:39,300 --> 00:03:42,180
‫Here are the states of the top 10 ports of Metasploit.

49
00:03:42,190 --> 00:03:45,510
‫About seven ports are open and three ports are closed.

50
00:03:46,290 --> 00:03:50,640
‫OK, let's open Wireshark and see what's happening when a TCP scan is performed.

51
00:03:51,000 --> 00:03:53,100
‫So you got to run Wireshark first.

52
00:03:53,730 --> 00:03:56,670
‫Double click eth0 start to listen to that interface.

53
00:03:57,600 --> 00:03:59,930
‫The skip the packets, which we are not interested in.

54
00:03:59,940 --> 00:04:00,900
‫I had a filter.

55
00:04:01,380 --> 00:04:07,020
‫I only want to see the traffic for my destination computer one seven two one six nine nine two zero

56
00:04:07,020 --> 00:04:11,370
‫six And I want to see the TCP traffic only.

57
00:04:11,910 --> 00:04:14,910
‫Click the Blue Arrow next to the filter bar to activate the filter.

58
00:04:16,290 --> 00:04:20,220
‫To clear the package, we've already caught a restart Wireshark packet capturing.

59
00:04:21,310 --> 00:04:23,470
‫OK, now go to the terminal, scream.

60
00:04:24,070 --> 00:04:28,330
‫I'd like to analyze the TCP scan package for an open port first.

61
00:04:29,300 --> 00:04:35,330
‫I'm going to run the latest and map query again, but this time I run the query for Port 80 only.

62
00:04:36,140 --> 00:04:38,570
‫Hit, enter and run the map query.

63
00:04:38,930 --> 00:04:41,420
‫Yes, the port is open, as I remember.

64
00:04:42,110 --> 00:04:43,910
‫It's good to know I'm not losing my memory.

65
00:04:45,120 --> 00:04:46,260
‫Go back to Wireshark.

66
00:04:46,770 --> 00:04:52,590
‫I want to stop Wireshark by clicking the Red Square at the upper left corner to avoid unwanted packet.

67
00:04:53,310 --> 00:04:54,960
‫Now here we have three packets.

68
00:04:55,260 --> 00:04:58,620
‫The first packet is a sin packet to start the three way handshake.

69
00:04:59,130 --> 00:05:04,560
‫It's from an arbitrary port of call to the 80th board of Metasploit, the destination system.

70
00:05:05,280 --> 00:05:08,490
‫Second packet is a sin accent by the destination system.

71
00:05:10,200 --> 00:05:16,770
‫The third packet is a nack sent by Collie to complete the TCP three way handshake, and the fourth packet

72
00:05:17,040 --> 00:05:20,610
‫is a receipt sent by Collie again to end the conversation.

73
00:05:21,510 --> 00:05:28,440
‫This time I want to scan a closed port, for example, Port 81, before running the query I restart

74
00:05:28,440 --> 00:05:33,750
‫the Wireshark packet, capturing to clean it screen by clicking the blue button in the upper left corner.

75
00:05:34,880 --> 00:05:41,780
‫In the terminal screen, I hit enter to run the query, as you see Port 81 is closed.

76
00:05:42,350 --> 00:05:46,850
‫Now let's look at the Wireshark interface to see what happened when we scan a closed port.

77
00:05:47,790 --> 00:05:53,730
‫The first packet is, again, a sin packet to start the three way handshake the sewer system is clearly

78
00:05:53,730 --> 00:05:55,590
‫in the destination system is Metasploit.

79
00:05:57,160 --> 00:06:03,490
‫The second packet is for this scan a wrist pack because Port 81 is closed, the destination system send

80
00:06:03,490 --> 00:06:04,360
‫us a receipt packet.

81
00:06:05,910 --> 00:06:12,180
‫So here we have a comparison between sin scan packets and TCP scan packets for an open port.

82
00:06:13,340 --> 00:06:18,110
‫Incense scan and map has corrupted the three way handshake by respect.

83
00:06:19,380 --> 00:06:25,350
‫And TCP scan, on the other hand, the three way handshake is completed and the communication is established.

84
00:06:27,010 --> 00:06:31,870
‫So let's see the differences between the since scan and the TCP scan and a table that we've only really

85
00:06:31,870 --> 00:06:38,080
‫talked about up to now, three way handshake is not completed Ensign scan while it's completed in TCP

86
00:06:38,080 --> 00:06:38,470
‫scan.

87
00:06:39,730 --> 00:06:47,170
‫A risk packet is sent when a snack is received and since scan, while an act packet is sent in TCP scan.

88
00:06:49,020 --> 00:06:54,540
‫Target machines are more likely to log the connection when the connection is established in TCP scan

89
00:06:55,440 --> 00:07:01,770
‫no log for since scans because three way handshake is not established because the native operating system

90
00:07:01,770 --> 00:07:02,820
‫call is interrupted.

91
00:07:03,330 --> 00:07:09,930
‫Since scan has to be run by a privilege user, TCP scan uses the system call so it does not need extra

92
00:07:09,930 --> 00:07:10,590
‫privileges.