1
00:00:01,050 --> 00:00:08,230
When it comes to network reconnaissance, Ping scans are a crucial tool for detecting live hosts in

2
00:00:08,230 --> 00:00:08,600
Nmap.

3
00:00:08,610 --> 00:00:15,630
A powerful network scanning tool employs various techniques for host discovery, including sending TCP

4
00:00:15,630 --> 00:00:20,580
synchronizing, TCP acknowledgment key and ICMP packets.

5
00:00:20,610 --> 00:00:27,750
However, if a firewall blocks these requests, the host may mistakenly be considered offline.

6
00:00:27,780 --> 00:00:36,450
Fortunately, Nmap offers a scanning technique called TCP synchronizing ping scan, which is particularly

7
00:00:36,450 --> 00:00:42,660
useful for probing different ports to determine the online status of a host or identity.

8
00:00:42,750 --> 00:00:45,380
Identify permissive filtering rules.

9
00:00:45,390 --> 00:00:50,370
So let's dive into the TCP syn ping scan and its related options.

10
00:00:50,370 --> 00:00:59,460
So to initiate a TCP syn ping scan using Nmap, you first open the terminal and enter Nmap.

11
00:01:00,400 --> 00:01:04,240
S n and uppercase P.

12
00:01:04,270 --> 00:01:05,200
S here.

13
00:01:05,200 --> 00:01:08,590
And after that you will enter target domain or target IP address.

14
00:01:08,590 --> 00:01:12,820
So let's enter our target domain here and here.

15
00:01:12,820 --> 00:01:15,010
As you can see here, host is up.

16
00:01:15,010 --> 00:01:20,140
So it bypassed the firewall and it now tells us that host is up.

17
00:01:20,140 --> 00:01:24,790
So let's actually think like like how does it work?

18
00:01:24,790 --> 00:01:35,080
So the s n option here interacts nmap to skip the port scanning phase and focus solely on host discovery.

19
00:01:35,080 --> 00:01:36,550
The uppercase P.

20
00:01:36,580 --> 00:01:44,200
S flag indicates that the usage of TCP synchronizing, ping scan, TCP syn ping scan and this type of

21
00:01:44,200 --> 00:01:49,180
ping scan operates firstly in four ways in four steps here.

22
00:01:49,180 --> 00:01:58,450
The first step is Nmap sends a TCP syn packet to port 80, a common port used for web services.

23
00:01:58,760 --> 00:02:09,080
Step two If the port is closed, the host responds with a reset s t packet indicating no service is

24
00:02:09,080 --> 00:02:10,130
available.

25
00:02:10,250 --> 00:02:18,860
Step three If the port is open, the host responds with a TCP syn acknowledgement packet TCP syn ack

26
00:02:18,950 --> 00:02:19,910
package.

27
00:02:20,270 --> 00:02:27,770
So I mean the TCP sync and slash acknowledgement packet suggesting that a connection can be established

28
00:02:27,770 --> 00:02:34,250
and finally the packet is sent to terminate the connection attempt.

29
00:02:34,250 --> 00:02:46,460
So by appending the 24 here the Cidr notation to IP address or domain, we can here we can specify a

30
00:02:46,460 --> 00:02:50,240
range of 254 IP addresses here.

31
00:02:50,900 --> 00:02:56,150
And as you can see here, all of them is up here and here.

32
00:02:56,150 --> 00:03:01,250
We scanned from this to there, here, and that's it.

33
00:03:01,280 --> 00:03:02,120
How it worked here.

34
00:03:02,120 --> 00:03:10,700
And I have an additional note for you that TCP synchronizing TCP syn ping scans are highly effective

35
00:03:10,700 --> 00:03:14,780
for determining the presence of hosts on a network.

36
00:03:14,780 --> 00:03:22,430
So while Nmap utilizes a default set of props, it allows for customization enabling you to select specific

37
00:03:22,430 --> 00:03:23,210
ports to probe.

38
00:03:23,210 --> 00:03:28,850
And then now let's explore more about TCP syn ping scan technique.

39
00:03:28,850 --> 00:03:37,400
So we have two ways to start TCP syn ping scan technique, which is the first is unprivileged, which

40
00:03:37,400 --> 00:03:45,290
you will just enter the Nmap here and then you run your parameters, commands, targets and so on.

41
00:03:45,290 --> 00:03:47,780
But you can also run it with sudo.

42
00:03:47,780 --> 00:03:49,190
So privileged user.

43
00:03:49,190 --> 00:03:58,610
So running a TCP syn ping scan as an unprivileged user normal user who lacks the ability to send raw

44
00:03:58,640 --> 00:04:08,150
packets, let's nmap to employ the connect function a system call to the send to send the TCP syn packet.

45
00:04:08,150 --> 00:04:16,730
So in this scenario Nmap differentiates between syn ack response indicating a live host and the packet

46
00:04:16,760 --> 00:04:23,000
received to an econ refused error indicating an online host here.

47
00:04:23,150 --> 00:04:28,790
So we also need to discuss is firewalls and traffic filtering here.

48
00:04:28,790 --> 00:04:35,060
So due to the prevalence of traffic filtering system, it's crucial to employ diverse ping scanning

49
00:04:35,060 --> 00:04:35,810
techniques.

50
00:04:35,990 --> 00:04:38,630
So consider this following example here.

51
00:04:38,630 --> 00:04:47,000
So during a TCP synchronizing TCP syn ping scan, a host that is online might be misidentified as offline

52
00:04:47,000 --> 00:04:54,920
if it's situated behind the traffic filtering system that blocks TCP or ICMP requests.

53
00:04:54,920 --> 00:05:01,820
So to overcome the overcome this, a targeted scan can be performed on a specific open port such as

54
00:05:01,970 --> 00:05:03,110
port 80 here.

55
00:05:03,110 --> 00:05:14,750
So here we can use the Nmap, nmap, PS 80 here, and then after you enter the target IP or domain name

56
00:05:14,750 --> 00:05:22,160
and here now what we are doing is we are scanning the port 80 here.

57
00:05:22,160 --> 00:05:32,390
So you can also specify a list of ports to be used with PS option such as for example, we can use Nmap,

58
00:05:32,510 --> 00:05:42,830
the PS and without space here you will add ports with comma here 2080, 21, 53 and so on after delivering

59
00:05:42,830 --> 00:05:43,100
the ports.

60
00:05:43,100 --> 00:05:49,430
But by the way, you can also use a port use ports to scan range, for example.

61
00:05:49,430 --> 00:05:53,870
In order to do that, we will enter one and -1000.

62
00:05:53,870 --> 00:05:59,810
And here in this case, we will scan all the ports in the target system from 1 to 1.

63
00:06:00,400 --> 00:06:11,280
So here in this case, let's actually use the 8021, 2018, 21 and 53 here and 443, which is Https

64
00:06:11,290 --> 00:06:11,950
protocol.

65
00:06:11,950 --> 00:06:20,200
And we can also merge that with, for example, 101,000 here and we will enter the our target domain

66
00:06:20,200 --> 00:06:22,120
or host IP address here.

67
00:06:22,120 --> 00:06:27,160
And as you can see here, we got several open and service names here and here.

68
00:06:27,160 --> 00:06:30,730
This, as you can see this, all of these are TCP ports.

69
00:06:30,730 --> 00:06:37,960
And now what we're going to do is we will do the we will give the target here code Slate.com and here

70
00:06:38,560 --> 00:06:46,270
here, for example, when scanning this code, telecom networks, it's beneficial to customize a sin

71
00:06:46,270 --> 00:06:56,560
probe to include the Port one, three, eight and 443 because which are commonly used for posting here

72
00:06:56,560 --> 00:06:58,540
for SSL here.

73
00:06:58,540 --> 00:07:04,250
So and as you can see, duplicate port number specified are reluctant to using you have some coffee

74
00:07:04,250 --> 00:07:06,920
or jolt and here that's.

75
00:07:08,130 --> 00:07:15,150
That's because we are using 443 and after that we are scanning from 100 to 1000 here.

76
00:07:15,150 --> 00:07:16,130
And that's why we.

77
00:07:16,140 --> 00:07:17,430
So it's no problem here.

78
00:07:17,430 --> 00:07:21,780
Actually, it just notifies us this is just a warning and not an error.

79
00:07:22,780 --> 00:07:24,400
So we are in Nmap.

80
00:07:24,400 --> 00:07:25,780
We also have.

81
00:07:27,080 --> 00:07:31,270
Meant to discover hosts with TCP icky.

82
00:07:32,570 --> 00:07:41,840
Ping scan so similar to the TCP syn ping scan, the TCP Aecac ping scan is employed to determine whether

83
00:07:41,840 --> 00:07:43,210
a host is responsive.

84
00:07:43,220 --> 00:07:52,110
So this technique aids in detecting hosts that block Syn packets and ICMP echo requests.

85
00:07:52,130 --> 00:07:59,810
However, modern firewalls which track connection states typically blocks this method as it involves

86
00:07:59,810 --> 00:08:06,710
sending bogus TCP and Ascii packets associated with non-existing connections.

87
00:08:06,710 --> 00:08:16,640
So to perform this attack, TCP here to perform this attack, TCP is actually ping scan and observe

88
00:08:16,640 --> 00:08:18,230
the online host.

89
00:08:18,620 --> 00:08:20,690
You will follow these steps here.

90
00:08:20,690 --> 00:08:28,110
Nmap of course, will actually use a pseudo nmap here and after that we will use the PR, a uppercase

91
00:08:28,140 --> 00:08:36,600
PR, and after that you will enter the target domain or IP address here in this case code.com and enter

92
00:08:36,600 --> 00:08:38,100
password and that's it.

93
00:08:38,100 --> 00:08:41,460
And here we will get an output here.

94
00:08:41,460 --> 00:08:48,120
And we can also see here and as you can see, 25% is done, 30 and so on.

95
00:08:48,150 --> 00:08:49,800
So here.

96
00:08:50,920 --> 00:08:58,330
And this is how TCP how you can start TCP ack keeping scan and observe the online host.

97
00:08:58,330 --> 00:09:02,220
So here now we are waiting for it 31 process.

98
00:09:02,230 --> 00:09:04,270
So it might take actually some time.

99
00:09:04,270 --> 00:09:08,440
So while this running we will go to another command here.

100
00:09:08,650 --> 00:09:15,520
So here and output will display a list of hosts that here.

101
00:09:16,570 --> 00:09:24,580
Respond to the TCP acknowledgment packet Ascii packet sent indicating their online status here, for

102
00:09:24,580 --> 00:09:29,320
example, we can also use this in local address here.

103
00:09:29,320 --> 00:09:32,350
So nmap sn or notice on here.

104
00:09:32,350 --> 00:09:38,590
So MPR 196192196

105
00:09:39,100 --> 00:09:41,680
13 .0..

106
00:09:41,680 --> 00:09:43,900
And here we will use this.

107
00:09:45,510 --> 00:09:55,890
If slasher and 24 and here similar to two similar to TCP syn ping scan the here we can also use the.

108
00:09:56,680 --> 00:10:01,300
S and here's n so this is an option.

109
00:10:01,300 --> 00:10:10,390
Directs Nmap to skip port scanning so and solely focus on post discovery and here in this as you can

110
00:10:10,390 --> 00:10:16,540
see here we got the here output here on this here par.

111
00:10:17,230 --> 00:10:18,610
So here.

112
00:10:19,240 --> 00:10:25,570
The par here like signifies the usage of the TCP ack key.

113
00:10:26,830 --> 00:10:33,660
Ping scan and TCP ping scan operates in two steps here.

114
00:10:33,670 --> 00:10:35,380
So nmap here.

115
00:10:35,380 --> 00:10:43,900
The first step is Nmap sends an empty TCP packet with an EC flag set to the port 80 and this is the

116
00:10:43,900 --> 00:10:51,220
default port, although alternative port list can be specified if the and the step two is if the host

117
00:10:51,250 --> 00:10:54,340
is offline, it should not respond to this request.

118
00:10:54,370 --> 00:11:02,260
However, if it's online, it will return an artist packet indicating its availability and the packets

119
00:11:02,260 --> 00:11:09,520
are sent because the TCP IP packets sent are not associated with the existing valid connection.

120
00:11:09,520 --> 00:11:18,700
And I have additional information for you which is so by default this TCP ack ping scans utilize port

121
00:11:18,730 --> 00:11:22,690
80, but this behavior can be customized according to your requirements.

122
00:11:22,690 --> 00:11:29,440
And it's important to note that privileged user privileges are required to create a root packet for

123
00:11:29,440 --> 00:11:31,060
TCP acknowledgment.

124
00:11:31,090 --> 00:11:32,620
Ack ping scans.

125
00:11:32,620 --> 00:11:42,670
And in the absence of this pelagus Nmap resorts to performing a TCP syn ping scan instead.

126
00:11:42,670 --> 00:11:50,770
So furthermore, you can specify the ports to be probed using this technique by listing after the PR

127
00:11:50,800 --> 00:11:51,370
option.

128
00:11:51,370 --> 00:11:54,970
But in this case, since we are telling Nmap to.

129
00:11:55,860 --> 00:12:02,600
Ignore ports and in this case you need to delete it as n and add your own ports here.

130
00:12:02,610 --> 00:12:13,260
So in conclusion, TCP syn syn and TCP ack ping scans are powerful methods for discovering hosts and

131
00:12:13,260 --> 00:12:15,270
assessing their online status.

132
00:12:15,270 --> 00:12:20,820
So this these techniques, along with their customization options, enable network administrators and

133
00:12:20,820 --> 00:12:26,880
security professionals to gain insights into network topologies and potential vulnerabilities.