1
00:00:00,760 --> 00:00:05,350
Hello, my name is Stephan, and in this lecture we will explore the fascinating world of a network

2
00:00:05,350 --> 00:00:06,310
reconnaissance.

3
00:00:06,640 --> 00:00:07,390
So.

4
00:00:08,550 --> 00:00:15,000
Nmap is renewed for its extensive range of host and port discovery techniques, allowing penetration

5
00:00:15,000 --> 00:00:21,000
testers and system administrators to gather critical information about their networks.

6
00:00:21,000 --> 00:00:27,240
By utilizing these techniques, we can effectively scan hosts even in the most restricted environments.

7
00:00:27,240 --> 00:00:33,600
So let's explore some of the key techniques employed by Nmap for host discovery.

8
00:00:35,060 --> 00:00:37,460
We can also trace routes with map.

9
00:00:37,460 --> 00:00:39,950
So tracing routes with Nmap.

10
00:00:41,250 --> 00:00:47,880
From the scanning machine to the target host can provide valuable insight into the network topology.

11
00:00:47,910 --> 00:00:52,680
Nmap enables us to include trace route information during our scans.

12
00:00:52,680 --> 00:00:57,750
So for example, now we will enter the Nmap as an nmap.

13
00:00:59,390 --> 00:01:02,900
As and we will add a trace route option.

14
00:01:04,830 --> 00:01:11,430
So by using this option, we can trace the path taken by packets from our machine to the target host.

15
00:01:11,640 --> 00:01:13,260
Let's do this example here.

16
00:01:13,260 --> 00:01:18,040
So nmap traceroute and here we will enter our some website.

17
00:01:18,060 --> 00:01:21,090
In this case it's going to be, for example, code sally.

18
00:01:21,240 --> 00:01:23,460
This is our application which we.

19
00:01:24,320 --> 00:01:29,990
Our website which we installed for penetration testing in in this course here.

20
00:01:29,990 --> 00:01:37,460
And as you can see here, traceroute has to run as root and we will use this sudo here and after that

21
00:01:37,460 --> 00:01:41,090
and as you can see here, here we this is our traceroute.

22
00:01:41,090 --> 00:01:47,660
So this command initiates a ping scan with a traceroute enabled for both the.

23
00:01:49,140 --> 00:01:51,630
Constantly on our host machine.

24
00:01:51,630 --> 00:01:56,460
So we can also add another here, for example, Google.com and here.

25
00:01:56,460 --> 00:01:56,970
That's it.

26
00:01:56,970 --> 00:01:57,660
So.

27
00:01:58,500 --> 00:02:05,970
We are allowing us to visualize the network path and identify potential bottlenecks or routing areas

28
00:02:05,970 --> 00:02:06,210
here.

29
00:02:06,210 --> 00:02:09,360
As you can see, we don't have any usually on rooting here.

30
00:02:09,360 --> 00:02:19,860
So Segment three Leveraging NSA scripts during host discovery and Maps scripting capabilities through

31
00:02:19,860 --> 00:02:21,390
the Nmap scripting engine.

32
00:02:21,390 --> 00:02:28,890
NSA here provide a powerful way to gather additional information about a target during the host discovery

33
00:02:28,890 --> 00:02:29,370
phase.

34
00:02:29,370 --> 00:02:37,140
By executing the Nmap scripting engine scripts, we can extract valuable insights about a target service's

35
00:02:37,140 --> 00:02:45,930
vulnerabilities or even perform specific tasks to execute Nmap scripting engine script without conducting

36
00:02:45,930 --> 00:02:52,860
a port scanning, we can use the as an option to skip port scanning and specify the desired script using

37
00:02:52,860 --> 00:02:54,870
the script option.

38
00:02:54,870 --> 00:03:03,730
So here what we're going to do is an Nmap script here and we will use the DNS root DNS root as a Nmap

39
00:03:03,730 --> 00:03:04,870
scripting engine.

40
00:03:04,870 --> 00:03:11,620
So DNS root here and after that we will enter our target domain or IP address.

41
00:03:11,620 --> 00:03:16,720
So in this case it's going to be console here, dot com and here.

42
00:03:19,640 --> 00:03:22,010
We will pay the execution here.

43
00:03:30,170 --> 00:03:33,350
Let's actually run with the pseudo privileges.

44
00:03:44,540 --> 00:03:48,680
And here, as you can see here, we got no target specified.

45
00:03:48,680 --> 00:03:51,530
And so zero host scanned.

46
00:03:55,610 --> 00:04:00,710
And here, if you are getting this error, you can also use the alternative script for this here.

47
00:04:00,710 --> 00:04:09,370
So instead of writing DNS root here, you can also write the DNS insecure and enum and after that you

48
00:04:09,380 --> 00:04:12,590
enter the your domain or IP address.

49
00:04:12,590 --> 00:04:22,310
So here this is an alternative and this script performs a DNS enumeration by querying for Dnssec records,

50
00:04:22,310 --> 00:04:25,520
which can provide valuable information about the domain.

51
00:04:25,520 --> 00:04:27,560
And here now, we will get.

52
00:04:28,400 --> 00:04:29,480
An output here.

53
00:04:42,030 --> 00:04:49,670
And also keep in mind that the success of this command depends on the availability of this DNS insect

54
00:04:49,710 --> 00:04:56,340
enum script on your network configuration, and you may need to install additional Nmap scripting engine

55
00:04:56,340 --> 00:05:02,130
scripts or adjust the command according to your specific environment.

56
00:05:02,220 --> 00:05:04,950
So if you need any.

57
00:05:06,040 --> 00:05:12,820
Assistance If you or if you encounter any errors, feel free to ask me on the.

58
00:05:14,160 --> 00:05:15,900
Question sections of our course.

59
00:05:15,900 --> 00:05:18,930
And as you can see here, we got a lot of information here.

60
00:05:18,930 --> 00:05:21,570
We got ports and this here.

61
00:05:21,660 --> 00:05:30,180
So here in this command, we are executing this DNS Dnssec script during host Discovery, which attempts

62
00:05:30,180 --> 00:05:34,530
to brute force DNS records for the cozily.com domain.

63
00:05:34,530 --> 00:05:42,840
This can reveal hidden subdomains, but also provide valuable information here and as you can see,

64
00:05:42,870 --> 00:05:44,700
open ports and so on.

65
00:05:44,700 --> 00:05:48,600
So we can also use the SDN here before the script here.

66
00:05:48,600 --> 00:05:51,720
And let's see how the port will change.

67
00:05:51,720 --> 00:05:56,280
And as you can see here, this is now we are not scanning port signs.

68
00:05:56,280 --> 00:06:04,230
This parameter will not scan port here and here We are sending this host record server here.

69
00:06:04,230 --> 00:06:07,890
And as you can see here, our hosting for this domain.

70
00:06:08,990 --> 00:06:14,000
Contains this domain address here and which is this is the IP address of this.

71
00:06:17,110 --> 00:06:24,400
And one interesting Nmap scripting engine script available in Nmap is broadcast ping script, which

72
00:06:24,400 --> 00:06:31,750
utilizes a broadcast ping request to identify online hosts within a network by broadcasting a ping message.

73
00:06:31,780 --> 00:06:39,370
Nmap can detect hosts that respond even if they have a restrictive firewall rules.

74
00:06:39,370 --> 00:06:46,270
And to use this script, we specify it with this script option as we did earlier, along with the desired

75
00:06:46,300 --> 00:06:47,710
target range.

76
00:06:47,710 --> 00:06:51,550
So we will do Nmap as n here script again.

77
00:06:52,840 --> 00:06:55,150
With two year script.

78
00:06:56,860 --> 00:07:03,680
And after that we will enter the broadcast pink and 192168.

79
00:07:04,570 --> 00:07:06,670
Let's actually see our.

80
00:07:09,120 --> 00:07:10,260
Ifconfig IP.

81
00:07:10,350 --> 00:07:15,630
Local IP address 13 138 13 one here.

82
00:07:15,630 --> 00:07:19,260
And after that we will enter the 24 and here.

83
00:07:22,560 --> 00:07:23,140
And map.

84
00:07:23,490 --> 00:07:28,950
And so we need to actually oops, we had the error with this typo here.

85
00:07:30,020 --> 00:07:32,780
Broadcast and that's it.

86
00:07:33,880 --> 00:07:36,460
And as you can see, it's not running for lack of privileges.

87
00:07:36,460 --> 00:07:43,150
So we need to run it with sudo here, root privileges here and now you will see an output.

88
00:07:45,930 --> 00:07:46,860
And here.

89
00:07:46,860 --> 00:07:54,360
So with this command, we are scanning the local network with the IP range of this one slash 24, which

90
00:07:54,750 --> 00:08:05,520
we will scan this IP address from 0 to 256 here using this broadcast ping and here, this can be particularly

91
00:08:05,520 --> 00:08:12,040
useful in scenarios where your host might not respond to a traditional ping requests here.

92
00:08:12,060 --> 00:08:18,480
So in conclusion, Nmap discovery capabilities provide a powerful arsenal for network reconnaissance

93
00:08:18,480 --> 00:08:26,640
by understanding the leveraging techniques such as traceroute, NSA, Nmap, scripting, engine scripting

94
00:08:26,820 --> 00:08:33,930
and specialized scripts like broadcast ping, we can gain comprehensive insights into network environments,

95
00:08:33,930 --> 00:08:38,280
identify active hosts and uncover potential vulnerabilities.

96
00:08:38,280 --> 00:08:45,870
So equip yourself with the knowledge of Nmap host discovery features and embark on your network recon

97
00:08:45,970 --> 00:08:48,070
science journey with confidence.