1
00:00:00,210 --> 00:00:01,920
Hello everybody and welcome back.

2
00:00:01,920 --> 00:00:08,010
And in this story we will continue with some of the other options that our map allows us and you might

3
00:00:08,010 --> 00:00:11,220
be asking why are we covering all these options for that map.

4
00:00:11,850 --> 00:00:19,860
Well basically it is a really important tool and knowing all these options will make you at least 50

5
00:00:19,860 --> 00:00:26,460
percent better in penetration testing since scanning is a really important part of performing an penetration

6
00:00:26,460 --> 00:00:32,720
test so let us right here just open up our terminal.

7
00:00:32,810 --> 00:00:38,900
Let me make it this big and in the other terminal right here

8
00:00:42,630 --> 00:00:49,440
I will open up the commands at once can no commands at 60.

9
00:00:49,790 --> 00:00:50,950
Where are we right.

10
00:00:50,960 --> 00:00:55,760
All of the map commands that we cover in this particular editorial.

11
00:00:55,760 --> 00:00:58,570
So that is just up here on CNN map.

12
00:00:58,790 --> 00:01:06,260
And the first thing we want to check out is the minus key and the command.

13
00:01:06,260 --> 00:01:09,120
Now we can find it right here or.

14
00:01:09,200 --> 00:01:14,390
For example let's say you can't find a specific command in these bunch of the commands.

15
00:01:14,390 --> 00:01:24,530
You can just type here and map and then grep minus p and just find your minus minus pen and to show

16
00:01:24,530 --> 00:01:30,760
us not like that they did not want that to happen.

17
00:01:31,230 --> 00:01:35,110
We just Oh yes.

18
00:01:35,160 --> 00:01:45,780
And Matthew does this help Rep. Pete Van your boy doesn't that only

19
00:01:50,950 --> 00:01:51,220
Yeah.

20
00:01:51,230 --> 00:01:52,410
Never mind.

21
00:01:52,520 --> 00:01:57,020
For some reason that worked yesterday but doesn't want to work now so it doesn't really matter.

22
00:01:57,020 --> 00:02:03,080
Just find the command right here let me just find it.

23
00:02:03,100 --> 00:02:10,800
It should be minus capital P and then and here it is treat all hosts as online ski post discovery.

24
00:02:10,960 --> 00:02:12,800
Now this is an important comment.

25
00:02:12,880 --> 00:02:14,190
You might be asking why.

26
00:02:14,200 --> 00:02:23,710
Well some of the posts that you scan on the network can appear to be off line.

27
00:02:23,740 --> 00:02:29,800
So for example if you know a specific course must be running and is online but let's say you scan it

28
00:02:29,800 --> 00:02:34,180
right here and it says that it is offline.

29
00:02:34,180 --> 00:02:36,730
Now this small laptop so it will say that it is online.

30
00:02:36,790 --> 00:02:37,930
The moment.

31
00:02:38,470 --> 00:02:43,420
I've had some scans that basically said that my machine that I was scanning which was right next to

32
00:02:43,420 --> 00:02:50,020
me and which was connected to the Internet and to the network and running basically said that the host

33
00:02:50,020 --> 00:03:00,360
was down and every time I specified the minus p an option it basically skips the whole discovery and

34
00:03:00,470 --> 00:03:09,600
the as it says treats all hosts on the network as if they were online which will perform the scan and

35
00:03:09,600 --> 00:03:14,220
it will give you the results without it without whose discovery.

36
00:03:14,250 --> 00:03:21,960
So let's say for example I scan this IP address which I don't have anything wrong on it so it will say

37
00:03:21,960 --> 00:03:25,950
that the host is down as you can see right here zero hosts up.

38
00:03:26,040 --> 00:03:33,240
This will be the same output for the machine that is running but it is blocking the ping requests or

39
00:03:33,240 --> 00:03:36,740
it is showing other machines that it's off line.

40
00:03:36,750 --> 00:03:46,380
So in that case which specified the minus pen option and then you specify the IP address and it will

41
00:03:46,380 --> 00:03:48,390
show as if it is online.

42
00:03:48,510 --> 00:03:52,740
Now in my case it won't show since I don't have anything there so let me just can my laptop.

43
00:03:52,740 --> 00:03:56,300
Once again I just typed here and map minus pen.

44
00:03:56,340 --> 00:03:59,720
And then one night to that 168 that one that eight.

45
00:03:59,880 --> 00:04:05,820
And it will skip the whole discovery and it will basically automatically say that my host is up and

46
00:04:05,820 --> 00:04:09,240
running and it will scan for its open ports.

47
00:04:09,240 --> 00:04:13,560
Now let me just see it has finished around 22 percent.

48
00:04:13,620 --> 00:04:16,830
You might notice that the scan is going a little bit slower

49
00:04:20,070 --> 00:04:22,670
so we won't be waiting for that to finish.

50
00:04:22,680 --> 00:04:25,620
There is no point or we can just leave it right here.

51
00:04:25,620 --> 00:04:28,140
Perhaps it finishes while I type it right here.

52
00:04:28,140 --> 00:04:36,570
So minus pen and then the IP address basically the IP address of any machine that you're scanning or

53
00:04:36,570 --> 00:04:41,640
any website that you're scanning of course trying not to scan the websites that you do not have permission

54
00:04:41,640 --> 00:04:42,140
on.

55
00:04:42,270 --> 00:04:49,640
You can always use the scan me the DOT and map dot org which we have permission to scan by and map.

56
00:04:49,730 --> 00:04:55,890
Well you can basically just use the methods point the political machine that we installed or you can

57
00:04:55,890 --> 00:05:04,090
install basically any other virtual machine that you will use in order to scan and and attack now since

58
00:05:04,090 --> 00:05:06,130
I can't really run matters collectable.

59
00:05:06,370 --> 00:05:08,030
It gives me some error.

60
00:05:08,050 --> 00:05:14,710
I downloaded another machine to show you how to install and I will show you why we will use it.

61
00:05:14,710 --> 00:05:20,720
Basically we will use it extensively in the website penetration testing part.

62
00:05:20,710 --> 00:05:26,800
I'm not really sure if Matt supportable has always in it installed I doubt.

63
00:05:26,800 --> 00:05:32,620
So you can check out if it has that and then you don't need to install this little machine as well but

64
00:05:32,650 --> 00:05:39,340
if it doesn't you should install this virtual machine as it is vulnerable and it is used for that penetration

65
00:05:39,340 --> 00:05:39,930
testing.

66
00:05:40,000 --> 00:05:44,320
So we will cover some of the attacks on the Web sites using this machine.

67
00:05:45,790 --> 00:05:47,530
But let us see right here.

68
00:05:47,530 --> 00:05:55,230
As you can see the D scan has finished and it treated our hosts was up and it discovered an open port.

69
00:05:55,270 --> 00:05:56,220
It all scaled back.

70
00:05:56,220 --> 00:05:58,240
The MAC address.

71
00:05:58,660 --> 00:06:04,010
It is a useful command if you know that the host is running and it is showing that it is offline.

72
00:06:04,060 --> 00:06:10,760
You just type your minus pen and you will have your host scanned now.

73
00:06:10,910 --> 00:06:15,170
The next option I want to show you which I didn't show you before.

74
00:06:15,440 --> 00:06:20,330
If we type your map would be a minus as Steve's comment.

75
00:06:20,330 --> 00:06:29,180
If we go up here and find the minus as you can see that it is basically our fault DCP scan let me just

76
00:06:29,180 --> 00:06:30,000
find it.

77
00:06:30,110 --> 00:06:35,060
Right here we have the ESU as an SS.

78
00:06:35,060 --> 00:06:36,100
Here it is.

79
00:06:36,290 --> 00:06:38,630
We can see a bunch of these options.

80
00:06:38,640 --> 00:06:47,350
We will only cover first these three basically but for now let's just cover the SD which if you look

81
00:06:47,350 --> 00:06:51,820
brighter here it is basically a connection now connection.

82
00:06:51,830 --> 00:06:59,960
It means that the it performs the full three way handshake in order to scan the target.

83
00:06:59,960 --> 00:07:05,030
Now as we talked before the DCP connection requires three way handshake.

84
00:07:05,030 --> 00:07:09,740
So let me just open up a pin so I can show you better.

85
00:07:09,830 --> 00:07:13,790
For example let's say you have a P.C. right here

86
00:07:21,030 --> 00:07:25,010
and you have another P.C. right here.

87
00:07:25,020 --> 00:07:26,790
So basically just laptops

88
00:07:29,310 --> 00:07:39,600
since I'm not really sure how to drop pieces that is just this is P.C. a and this is PCV.

89
00:07:40,380 --> 00:07:46,170
Let's say the PCV is your target and you scan from the computer.

90
00:07:47,010 --> 00:07:55,350
Now in order to if and when you use the minus as the option so minus as t option it basically performs

91
00:07:55,440 --> 00:08:02,520
a three way handshake scan with the DCP which is basically ascending bit set called sin

92
00:08:07,590 --> 00:08:13,590
then the other machine is sending us the bits that called Sin EQ which is basically same as sin

93
00:08:18,530 --> 00:08:23,310
in order for you to learn more about this and to know what I'm talking about right here.

94
00:08:23,430 --> 00:08:29,590
You should read more about the DCP and UDP scans and DCP and UDP connections.

95
00:08:29,610 --> 00:08:36,210
I talked briefly about it in the previous tutorials but you might need to know a little bit more in

96
00:08:36,210 --> 00:08:39,750
order to understand how these scans work.

97
00:08:39,750 --> 00:08:41,970
So that it is not that complicated.

98
00:08:42,000 --> 00:08:49,010
And then the scan finishes with only EQ I don't have work to write it but this that is basically the

99
00:08:49,040 --> 00:08:49,850
three way handshake.

100
00:08:49,880 --> 00:08:51,800
So it is seen Sinek.

101
00:08:51,830 --> 00:08:57,650
And then once again ask why is it called three ways a handshake because it is consistent from three

102
00:08:57,650 --> 00:08:58,310
parts.

103
00:08:58,310 --> 00:09:07,020
As you can see right here seen Sinek and then once again ask just ask So the mine safety option in a

104
00:09:07,020 --> 00:09:15,280
map performs all of these three and therefore it can be detected on the target machine as you perform

105
00:09:15,280 --> 00:09:22,840
the full connection on the system but it is also more accurate option for scanning since if you were

106
00:09:22,840 --> 00:09:29,230
to complete only the sin it won't be able to gather as much information and as accurate information

107
00:09:29,320 --> 00:09:33,340
as you would be able together with the four DCP through a handshake

108
00:09:36,480 --> 00:09:43,120
for if you want your target to not be able to detect you you shouldn't be using the minus as these things.

109
00:09:43,130 --> 00:09:45,710
It is very detectable.

110
00:09:45,710 --> 00:09:48,710
As I said since you used the faulty DCP handshake.

111
00:09:49,250 --> 00:09:56,040
So let me just type here and map my necessity and then we can just type here.

112
00:09:56,080 --> 00:10:03,140
The 182 that 168 138 and it will basically give us the same output as this option right here.

113
00:10:03,650 --> 00:10:07,610
But here you specified it to use the full three way handshake

114
00:10:11,890 --> 00:10:17,570
and this is the option that would give you the most accurate and precise results.

115
00:10:17,590 --> 00:10:19,570
So let me just see here it is.

116
00:10:19,570 --> 00:10:21,730
It finished with the same result as the previous scan.

117
00:10:21,730 --> 00:10:29,540
So we have one DCP open port so let me just write it right here and that minus SD.

118
00:10:29,620 --> 00:10:32,460
When I get to that 168 138.

119
00:10:32,490 --> 00:10:37,870
So we covered the full DCP connection scan now.

120
00:10:37,890 --> 00:10:43,640
The next thing I want to basically cover is the minus SS scan.

121
00:10:43,690 --> 00:10:52,750
So let me just open up here minus SS is only the first part of the minus SD let me just explain that

122
00:10:52,870 --> 00:10:54,130
a little bit better.

123
00:10:54,280 --> 00:11:02,520
As you can see T minus SD is a full connect and the minus SS is the DCP only seen bits set.

124
00:11:02,590 --> 00:11:09,100
So basically in order for us to scan we will only be sending this first part of the three way handshake

125
00:11:10,800 --> 00:11:17,570
that's why it is specified as minus SS the capital S stands for sin right here.

126
00:11:17,640 --> 00:11:22,860
Now the thing about since scanning is it isn't detectable on the target host.

127
00:11:22,920 --> 00:11:30,800
So this is a you can use that option in order to prevent the target from protecting your scan because

128
00:11:30,860 --> 00:11:38,720
it won't really complete the handshake but it is less accurate and it can also be detected by your IBS.

129
00:11:38,720 --> 00:11:44,120
Now we will talk in the next story on how to avoid the IP detection how to avoid some of the defenses

130
00:11:44,120 --> 00:11:46,130
that could be implemented into your rather.

131
00:11:46,130 --> 00:11:56,140
For example in order to block uh or send uh false information onto your end maps can so let us perform

132
00:11:56,140 --> 00:12:06,520
the SS scan here for the base we type here and map minus SS and then the IP address of our laptop or

133
00:12:06,520 --> 00:12:09,280
basically any machine or website that you're scanning

134
00:12:12,310 --> 00:12:19,500
this is a little bit taking a little longer than the minus as these can probably because it takes a

135
00:12:19,500 --> 00:12:27,420
lot long time in order for it to get them the same information that get there while using the full DCP

136
00:12:27,420 --> 00:12:28,200
handshakes can

137
00:12:32,560 --> 00:12:37,760
so we will wait for this to finish in order to see what the results are.

138
00:12:37,780 --> 00:12:41,440
And if they are the same as D minus SD option.

139
00:12:41,440 --> 00:12:46,660
So while this is running I will just type here minus SS 192 at 168.

140
00:12:46,660 --> 00:12:52,300
That one that 8 now while this is 45 percent OK.

141
00:12:52,320 --> 00:12:59,600
All this is doing let's recap so minus be an option as we said is used when the hosts appear down you

142
00:12:59,650 --> 00:13:05,470
might assess the option is a three way handshake DCP connection to the host and it is detectable and

143
00:13:05,470 --> 00:13:09,510
more accurate in minus SS scan performed.

144
00:13:09,520 --> 00:13:14,740
The only first part of the three way handshake which is the second part it is not detectable on the

145
00:13:14,740 --> 00:13:15,400
host.

146
00:13:15,460 --> 00:13:23,260
It is less accurate and it can be detected by your IBS so as we can see the scan has finished and it

147
00:13:23,380 --> 00:13:27,550
gave us the same output as T minus SD scan which is good.

148
00:13:27,550 --> 00:13:31,400
We have one open port and we have the service running on it.

149
00:13:31,630 --> 00:13:35,530
So let us just type here once again and map.

150
00:13:35,530 --> 00:13:37,480
There is one more option I want to show you.

151
00:13:37,480 --> 00:13:45,520
Before we finish this trial which is the minus as you option if we go right here you can see the minus

152
00:13:45,550 --> 00:13:50,690
as you option is basically only UDP scan all of these three options.

153
00:13:50,920 --> 00:13:59,830
Well basically all of these five right here perform the DCP scan or basically a part of DCP scan as

154
00:13:59,830 --> 00:14:02,270
well as some of these right here.

155
00:14:02,390 --> 00:14:11,370
And if you specify the minus as you option it will only perform UDP scan now as we talked before UDP

156
00:14:11,400 --> 00:14:17,760
his connection less and we won't have any confirmation that the packets arrived at our target.

157
00:14:17,760 --> 00:14:24,720
It is not consisted of three way handshake or basically it is not consisted of any handshake we simply

158
00:14:24,780 --> 00:14:31,950
with UDP just send packets to the other hosts and hope that they go get there intact and whole.

159
00:14:32,130 --> 00:14:40,520
So let let's just right here use the UDP scan so we specify it the minus as you option you Stansberry

160
00:14:40,520 --> 00:14:51,180
the P and we type here our IP address lets see how long this will take as we can see it won't finish

161
00:14:51,300 --> 00:14:52,130
that first.

162
00:14:52,140 --> 00:14:54,730
This is also a slower scan.

163
00:14:54,730 --> 00:14:57,800
So let that just write it right here.

164
00:14:59,640 --> 00:15:02,730
So we can see which ones we covered

165
00:15:05,940 --> 00:15:12,710
and my advice would be to use minus as to when it doesn't really matter it the tax you and if you are

166
00:15:12,710 --> 00:15:18,590
performing a penetration test for example where the target shouldn't be able to detect you.

167
00:15:18,590 --> 00:15:24,780
You can use T minus SS can or you can use some of the scans that are some of the options for scans that

168
00:15:24,800 --> 00:15:31,250
will show you in the next material in order to make your scan even less detectable.

169
00:15:31,250 --> 00:15:39,750
So let me just see where this is set at 62 percent so I will cut editorial right here and I will show

170
00:15:39,750 --> 00:15:44,840
you the output of this command in the next one as well as some of the other options that we will cover.

171
00:15:45,480 --> 00:15:49,980
So I hope you enjoyed this lecture and I hope I see you in the next one by.