Scanning with Nmap

00:00

scanning with end map

00:02

and this lesson will understand how to use end map to scan for open ports and services.

00:08

So n map is my go to It's been around a long time. I've used it for many years. Um I think it's been around for like 23 years. It's been and they keep working on this project, they keep improving it. I think they have like interns or people volunteer every summer to improve the end map scripting engine. So I think it's, I think it's a fast scanner. Of course maskin is even faster,

00:31

but end map is very versatile. It scans uh for TCP UDP um and like I said, it's great for for banner grabbing an enumeration and I can't say enough good things about it.

00:46

It's so good that I memorized all the flags and you may have your go to flags when you use end map, but I certainly have mine.

00:53

If you want to scan a single host, you just do end map and the hosts iP address. Or you could do google dot com. Although don't use google dot com.

01:00

Use something you're authorized to scan.

01:03

I would say that using that tak V. Or I use three V. S. For very very verbose. Um Make sure output a lot. You know, you see things come up a lot faster than if you just wait and see nothing for a while.

01:19

Um You can also scan multiple I PS uh You can do cider addresses like that. 19216811 whack 24. Or you can do that attack 1 to 100. That scans host 1 to 100.

01:34

Um You can also scan from a file. So if I have all my I. P. S. In a list. Uh I can use the little I. Big L. Flag and like I talked about in Lennox kept everything is case sensitive. Things are case sensitive in n map to if I did a big I uh it would not be the same as little I little little I big L

01:53

also specifying ports is important if you want to scan a single port, you know, or a few ports you can use comma and those ports or scan all ports. The p the tack. Pitak

02:07

scans all ports. I would say no SCP. It's a good idea to scan all ports just because you never know. You never know if they're hiding something in a certain port because they know that if you do a default and maps can you will not be able to find that service that's vulnerable.

02:23

Yeah.

02:23

Udp you need root privileges. That's why I like you. Everything is route. If you're not, you have to do Sudo and map S. U. Which will scan. Udp. UdP is not as reliable just because it's not like TCP where you have that three way handshake. Uh UDP it does scan for UdP but the scans are not as reliable as TCP.

02:45

Uh no ping scan. That's an important one to know the P. N. If if you're for some reason I see mps not getting through. Uh you can do the big P little N. And it will treat that host as being up and scan scan that host.

03:00

So you may also find that a useful flag as well.

03:05

Also during O S. C. P. Or P W K. Or whatever you want to. You want to write your output to a file. So little Oh, big End is normal. You have xml you have regrettable format. I like using the little Oh big A just because you get every format in case you don't like one output, you have all the outputs then.

03:23

Okay

03:23

timing. So from 0 to 55 is insane. It's the fastest scan. Four is kind of my go to for these P W K C T F style things. I think four is just fine.

03:37

Right?

03:38

So flags, I think a good combo is S C S V. Because it's can use default scripts and also scans for the version. So it won't just tell you what that the ports open. It will try to tell you what services running on that port

03:53

for the map scripting engine. You can also do uh, tactics, script. Vollmann, that kind of goes through some default vulnerable N S E scripts. The tack A is an aggressive scan. So it's basically like doing S C S. V. With some other things.

04:10

I will warn you though I did that on my home network and my printer started printing things

04:14

all of a sudden. So just be careful when you're using the tack a in a production environment or an environment that has hosts that are important to you.

04:25

Especially printers. Just be careful when you use that option.

04:29

Um You know SCP scan all your targets very very early in the exam and of course when you write the report you're gonna have to say what the what ports are open. Don't forget. UdP. Um So ensure that you scan as early as possible.

04:47

So in summary we we understand how to use end map to scan for open ports. I want to show you um and map now.

04:57

Okay so we're gonna scan a host

05:00

and as you can see here I'm using the up arrow because it's going through all my previous commands you probably see what I was doing here.

05:08

But I'm scanning this host here. I'm scanning 192168

05:15

1178. As you can see I do the SV for versions and sc for the default scripts.

05:24

And you can see here because I have the V V V very very verbose flag. I have a lot of output off the bat.

05:30

I can see Port 445 is open 21 139.

05:34

So it's going to do some things here. These scans can take a while, so I'm going to pause the video here.

05:42

All right. So we can see that scan took a little over a minute and it sent

05:46

2000 packets.

05:49

But we we can see we have a lot of information here. I can see Port 21 is open

05:55

and the version is war ftp 1.65 and the name is Cyberrays ftp service

06:01

using the S. C. You also have that default scripts, so FTp, a non so anonymous ftp login is allowed, bounce is working. We see that port 139 is open

06:12

Port, which is not bio support for 45 is open.

06:16

So if we look here, we can see that some other scripts were run clock, skew, nbt stat.

06:24

Um and we see some information about SMB here. S M B O S Discovery.

06:30

So we know that we're working with Windows XP. Also it's called Old School. I wonder why Windows XP.

06:36

Um so you can see you have a lot of information just from a simple script. I also talked about

06:42

that using tax, tax script

06:47

equals bone and let's see what we get this time.

06:55

So just just a teaching point here I fat fingered the last one.

07:00

Um we're at a space equals bone. That needs to be together

07:05

script phone. So you can see just by by not doing the correct command being one space off, you don't get the right output.

07:15

But if I see here

07:16

it's still working. But now here we go.

07:19

So it's running that uh that script bone against this machine and we can see here we have some good information that we didn't have in the last scan. We see that this SMB version is vulnerable to M. S. 17 010 or eternal blue.

07:36

So just using that that vulnerable that script bone script can get us some useful information off the bat.