1
00:00:02,420 --> 00:00:07,460
So any map is the most powerful and preferred scanner for security professionals.

2
00:00:07,880 --> 00:00:14,300
The usage of map varies from the weeds to an advanced level, so we will analyze the value scan techniques

3
00:00:14,300 --> 00:00:14,900
in detail.

4
00:00:15,590 --> 00:00:20,930
So you run any map directly from MSF console, as you normally would from the command line.

5
00:00:21,200 --> 00:00:27,380
So however, if you want to import the results into the Metasploit database, you need to run the map

6
00:00:27,380 --> 00:00:34,340
scan using the All X flag, so followed by the desired file name to generate the same allowed output

7
00:00:34,340 --> 00:00:34,760
file.

8
00:00:35,240 --> 00:00:40,040
So and then use the DB input command to populate the Metasploit database.

9
00:00:40,430 --> 00:00:43,940
So have to do it starting anywhere from Metasploit.

10
00:00:43,970 --> 00:00:44,900
It is easy.

11
00:00:44,900 --> 00:00:49,790
So launch the MSF console here and then here.

12
00:00:51,110 --> 00:00:53,510
And so it may take some time here.

13
00:00:53,780 --> 00:00:59,330
So as you can see, some Metasploit Framework Council and here just, uh, right up here.

14
00:00:59,600 --> 00:01:05,750
So as you can see, if we can start anywhere from in Metasploit console.

15
00:01:06,710 --> 00:01:12,020
So um, this if you connect can is the most basic and defaults can type in anima.

16
00:01:12,020 --> 00:01:17,420
So it follows a three way handshake process to detect the open pulse and the target machine.

17
00:01:17,420 --> 00:01:22,370
So let's perform this scan, uh, on one of our targets.

18
00:01:22,370 --> 00:01:23,450
So let me let me know.

19
00:01:23,750 --> 00:01:24,470
Uh, here.

20
00:01:26,810 --> 00:01:27,910
The conflict.

21
00:01:30,280 --> 00:01:39,100
So now we will do a port scan here, so um, I looked at our target man machine.

22
00:01:39,370 --> 00:01:43,030
I look along prejudice, so any map and map?

23
00:01:43,990 --> 00:01:53,590
Is he and then your target API, others, so for example, in my case, is one hundred ninety one nine

24
00:01:53,590 --> 00:01:56,140
two one one nine two.

25
00:01:57,230 --> 00:01:57,530
One.

26
00:01:58,820 --> 00:01:59,810
Six eight.

27
00:02:01,260 --> 00:02:02,190
And then.

28
00:02:03,770 --> 00:02:11,570
One six, eight one eight, eight, one eight, eight and one three five one three four.

29
00:02:11,690 --> 00:02:18,220
So it can also scan the land addresses and to find to find the land comments.

30
00:02:18,230 --> 00:02:27,800
Or as Phil, I um, have I had the opportunity to look from my scan, my lunch, um, IP address and

31
00:02:27,800 --> 00:02:29,960
find this IP address from it.

32
00:02:29,960 --> 00:02:33,200
But I just, uh, for instance, I just looked at it.

33
00:02:33,200 --> 00:02:37,430
So and but the more examples will be, uh, on this picture.

34
00:02:37,430 --> 00:02:37,820
So.

35
00:02:38,930 --> 00:02:44,720
And press enter after what I think you're right, this, as you can see here, we have a several IP

36
00:02:44,720 --> 00:02:46,460
addresses open here.

37
00:02:46,460 --> 00:02:59,180
So and we have here on IPO, this IAC X11 show logging exists, making Microsoft as nebulous as this

38
00:02:59,180 --> 00:03:05,450
and how should it be as empty it as FTP and so much we have port here.

39
00:03:05,990 --> 00:03:11,270
So, um, actually now let's uh.

40
00:03:11,330 --> 00:03:14,150
So as you can see here, um, the.

41
00:03:15,120 --> 00:03:22,140
Scan is the most basic and default type scan and map, so as you can see, we passed the test parameter,

42
00:03:22,860 --> 00:03:25,950
which denotes that the we want to perform a typical next scan.

43
00:03:26,250 --> 00:03:32,400
So it is typical next scan is based on three Hanshin process, and the returns results of the scan are

44
00:03:32,400 --> 00:03:33,330
considered accurate.

45
00:03:33,510 --> 00:03:42,120
So then using an MMA fighter space-faring, the range in maps, scans, scans the most common 1000 points

46
00:03:42,780 --> 00:03:47,220
for each protocol, so this is seen as synchronization scan.

47
00:03:47,550 --> 00:03:48,210
So what?

48
00:03:48,270 --> 00:03:50,160
What synchronization scan is and have to do?

49
00:03:50,160 --> 00:03:53,180
It is not a study, but the S.

50
00:03:53,390 --> 00:03:54,270
S see it.

51
00:03:54,840 --> 00:03:58,590
So the synchronization scan is considered a stealth scanning technique.

52
00:03:59,310 --> 00:04:03,510
So as it never forms a complete connection between the target and the scanner.

53
00:04:03,930 --> 00:04:07,500
So hence, it is also called how open scanning.

54
00:04:07,710 --> 00:04:10,920
So let's analyze synik scan on Italian.

55
00:04:10,920 --> 00:04:13,080
So any map as is.

56
00:04:13,380 --> 00:04:18,580
And after this, they will specify the potential here and map as is.

57
00:04:20,330 --> 00:04:27,440
And they will come from port 22 to 22 to 5000, 5000 feet.

58
00:04:29,710 --> 00:04:31,990
So this needs root privileges here.

59
00:04:33,350 --> 00:04:39,530
The Soviet built sudo and enter your password, as you can see in the entries started.

60
00:04:40,520 --> 00:04:40,910
So.

61
00:04:42,790 --> 00:04:44,920
Is this perimeter here?

62
00:04:45,010 --> 00:04:46,210
Is this parameter here?

63
00:04:46,750 --> 00:04:47,470
Can you see it?

64
00:04:48,410 --> 00:04:49,250
Oops, I'm sorry.

65
00:04:51,350 --> 00:04:51,770
Here.

66
00:04:53,460 --> 00:04:53,730
Yes.

67
00:04:54,150 --> 00:04:54,510
So.

68
00:04:55,900 --> 00:05:03,490
Um, the SS perimeter here will instruct the map to perform a synchronization scan on the target machine.

69
00:05:04,240 --> 00:05:08,110
S So what this does is TCP is early in.

70
00:05:08,260 --> 00:05:12,850
So this means the synchronization come on, uh, Typekit machine.

71
00:05:13,510 --> 00:05:21,160
So the output of the is if you connect and, uh, sync scan here, as you can see here, maybe similar

72
00:05:21,670 --> 00:05:23,710
are similar in most of the cases.

73
00:05:24,310 --> 00:05:30,250
But the only difference lies in the fact that this synchronization scan are difficult to detect by firewalls

74
00:05:30,520 --> 00:05:33,130
and intrusion detection systems.

75
00:05:33,160 --> 00:05:39,820
It is, however, modern firewalls are capable enough to catch synchronization scans as well.

76
00:05:40,150 --> 00:05:49,420
So the parameter here, uh, p parameter here, uh uh, typical British, uh, shows, uh, the range

77
00:05:49,660 --> 00:05:51,940
of ports numbers that we want to scan.

78
00:05:52,000 --> 00:06:00,010
So using P 22, uh, from 22 uh to 5000 we used in this year.

79
00:06:00,190 --> 00:06:11,830
But uh, we can use, um, zero to sixty five thousand to smell, uh, over sixty five thousand five

80
00:06:11,830 --> 00:06:12,730
hundred thirty five.

81
00:06:13,150 --> 00:06:16,570
So this is for all portraits, uh, included here.

82
00:06:17,320 --> 00:06:17,770
So.

83
00:06:20,050 --> 00:06:30,250
The UDP skull, so the issue we will think about here is you saw the the big scan, is it scanning technique

84
00:06:30,250 --> 00:06:33,250
to identify the open UDP ports?

85
00:06:34,000 --> 00:06:34,450
So.

86
00:06:35,390 --> 00:06:36,770
Here, let me read it here.

87
00:06:37,800 --> 00:06:39,590
For UDP ports.

88
00:06:40,960 --> 00:06:44,890
So is you for is you deep thoughts?

89
00:06:46,710 --> 00:06:54,360
So the two identified the UDP or the reports on the Typekit, so is it Obuebite UDP packets are sent

90
00:06:54,360 --> 00:06:59,120
to the surrogate machine and the recipient of an icy and purported unreachable message box.

91
00:06:59,130 --> 00:07:05,610
To that, the port is closed or otherwise it is considered open, but it can be used like that.

92
00:07:05,610 --> 00:07:14,070
For example, as you just on target IP, others see it and then execute the program, actually execute

93
00:07:14,070 --> 00:07:14,670
the command.

94
00:07:15,120 --> 00:07:17,070
It's not mandatory to use sudo.

95
00:07:17,070 --> 00:07:20,010
I just mistake the user, but it's not a problem here.

96
00:07:21,610 --> 00:07:22,060
So.

97
00:07:23,310 --> 00:07:24,480
As you can see here.

98
00:07:25,570 --> 00:07:34,510
Um, and in this comment, we will check, um, we will check thousand ports with tested Peltier's thousand

99
00:07:34,510 --> 00:07:38,950
most popular, uh, protocols and protocol ports here, so.

100
00:07:40,730 --> 00:07:42,890
They are doing you can now.

101
00:08:12,180 --> 00:08:22,110
So how how these how these port scanning works here, so we have analyzed three different types of scarcity

102
00:08:22,250 --> 00:08:24,900
that can be very helpful during penetration testing.

103
00:08:25,410 --> 00:08:32,310
So any map provides the lots of different modes for scanning a target machine.

104
00:08:32,320 --> 00:08:38,910
So here we will focus on three scan types aim, namely do these typical next scan the synchronization

105
00:08:38,910 --> 00:08:42,870
stealth scan and the lastly you deep scan here.

106
00:08:43,710 --> 00:08:44,100
So.

107
00:08:46,130 --> 00:08:52,250
Uh, the different scan options of any map can also be combined in a single scan in order to perform

108
00:08:52,250 --> 00:08:55,220
a more advanced and sophisticated scan over the target.

109
00:08:56,120 --> 00:09:00,240
So let's move ahead and start the scanning process here.

110
00:09:00,260 --> 00:09:06,530
So during a penetration test, the scanning process can provide lots of useful results here, so signs

111
00:09:06,890 --> 00:09:13,580
the information collected here will form the basis of penetration testing, of course, so proper knowledge

112
00:09:13,580 --> 00:09:15,320
of scan types is highly recommended.

113
00:09:15,710 --> 00:09:20,440
So let's now take the deeper look into each of these plastic nukes.

114
00:09:20,870 --> 00:09:22,340
Uh, that we just learned.

115
00:09:22,350 --> 00:09:29,240
So the TCB Connect scan is the most basic scanning technique in which a full connection is established

116
00:09:29,240 --> 00:09:30,770
with the port on the test.

117
00:09:31,160 --> 00:09:34,940
It uses the operating systems network functions to establish connections.

118
00:09:35,420 --> 00:09:41,810
So the scanner since a synchronization packet here and then um.

119
00:09:43,270 --> 00:09:50,320
So it's kind of a sense, a signalisation package to the target machine, so uh, if the if the port

120
00:09:50,320 --> 00:09:53,860
is open, it'll turn to and acknowledge a secret here.

121
00:09:53,860 --> 00:09:55,570
Let me right here.

122
00:09:55,830 --> 00:09:56,680
Uh, not bad.

123
00:10:01,470 --> 00:10:02,670
Synchronization.

124
00:10:07,050 --> 00:10:08,760
I ask to limit.

125
00:10:13,710 --> 00:10:18,060
And I think I'm mistaken with grandmother here, but never mind, you understand.

126
00:10:18,960 --> 00:10:26,310
So this kind of an acknowledgement package back to the target showing this successful establishment

127
00:10:26,730 --> 00:10:27,480
of a coalition.

128
00:10:27,480 --> 00:10:30,150
So this is called the three way Hanshin process.

129
00:10:31,170 --> 00:10:34,670
The connection is terminated as soon as it is over.

130
00:10:34,680 --> 00:10:41,100
So the technique is has its benefits, but it's easily traceable by firewalls and intrusion detection

131
00:10:41,100 --> 00:10:41,670
systems.

132
00:10:42,030 --> 00:10:42,450
I.

133
00:10:42,510 --> 00:10:50,940
D. S. M. Synchronization scan is another type of TCP scan, but it never forms a complete connection

134
00:10:50,940 --> 00:10:51,720
with the target.

135
00:10:52,230 --> 00:10:54,960
It doesn't use the operating systems network functions.

136
00:10:55,530 --> 00:11:01,020
Instead, it generates a IP packets and pointers for responses.

137
00:11:01,590 --> 00:11:05,930
If the port is open, then the target will respond with an acknowledgement message.

138
00:11:05,940 --> 00:11:11,820
So this scanner then sends a reset connection or steam message and ends the connection.

139
00:11:12,240 --> 00:11:15,300
Hence, it is also called Have Open Scanning.

140
00:11:15,570 --> 00:11:21,570
So this is considered as a stealth scanning technique as it can avoid or raising a flag in some misconfigured

141
00:11:21,570 --> 00:11:25,710
firewalls and intrusion detection systems ideas.

142
00:11:26,400 --> 00:11:33,270
So UDP scanning is a collection list scanning, hence no notification is sent back to the scanner.

143
00:11:33,780 --> 00:11:36,780
Whether the packet has been received by the target or not.

144
00:11:37,200 --> 00:11:44,150
So if the port is closed, then and I see an airport unreachable message is sent back to the scanners.

145
00:11:44,490 --> 00:11:48,690
If no message is received, then the port is reported as open.

146
00:11:49,050 --> 00:11:56,340
So this method can return faster results as farmers can block the data packets and therefore no response

147
00:11:56,340 --> 00:11:57,390
message will be generated.

148
00:11:57,390 --> 00:12:00,090
And it's kind of a report to port as open.

149
00:12:00,750 --> 00:12:04,200
Uh, but in reality is not open just because the firewall.