1
00:00:00,090 --> 00:00:05,880
‫Since Cannes is the default and the most popular scan option for good reasons, it can be performed

2
00:00:05,880 --> 00:00:12,000
‫quickly, scanning thousands of ports per second on a fast network not blocked by restrictive firewalls.

3
00:00:13,140 --> 00:00:17,460
‫It's also relatively stealthy since it never completes TCP connections.

4
00:00:18,600 --> 00:00:24,390
‫It also allows clear, reliable differentiation between open, closed and filtered states.

5
00:00:25,390 --> 00:00:31,570
‫This technique is often referred to as half open scanning because you don't open a full TCP connection.

6
00:00:33,190 --> 00:00:38,440
‫You send us in packet as if you're going to open a real connection and then wait for a response.

7
00:00:39,710 --> 00:00:47,780
‫A cynic indicates the board is listening or open while a wrist reset is indicative of a non listener.

8
00:00:48,440 --> 00:00:55,160
‫If no response is received after several retransmission or an ICMP unreachable error is received, the

9
00:00:55,160 --> 00:00:56,600
‫board is marked as filtered.

10
00:00:57,690 --> 00:01:04,020
‫If you receive a snack from the target system, you send receipt instead of the egg packet and you do

11
00:01:04,020 --> 00:01:05,850
‫not complete the three way handshake.

12
00:01:06,950 --> 00:01:11,300
‫OK, so let's perform an end map sin scan in our virtual network.

13
00:01:13,200 --> 00:01:15,630
‫Go to Carly and open the terminal screen.

14
00:01:16,290 --> 00:01:19,710
‫First, let's look at the IP address of Carly to understand the IP block.

15
00:01:20,710 --> 00:01:24,450
‫Here's my IP block is one seven two one six nine nine.

16
00:01:25,150 --> 00:01:30,280
‫Is it because that netmask is 255.255.255.0?

17
00:01:30,910 --> 00:01:33,880
‫I don't want to go further in a network basics in this.

18
00:01:34,270 --> 00:01:34,740
‫You know what?

19
00:01:34,780 --> 00:01:35,500
‫OK, fine.

20
00:01:36,160 --> 00:01:39,780
‫I'm going to add an IPv4 document to the course resources.

21
00:01:39,790 --> 00:01:40,600
‫You can look it up there.

22
00:01:40,990 --> 00:01:46,150
‫Now let's create this in scan command and map is the command itself.

23
00:01:47,270 --> 00:01:53,900
‫S capital s is to since scan, since it's the default scan type for privileged users, and I'm already

24
00:01:53,900 --> 00:01:55,070
‫a privileged user and colleague.

25
00:01:55,340 --> 00:01:58,400
‫This parameter is not necessary for a sentence can.

26
00:01:59,660 --> 00:02:01,880
‫Now here is a target IP block.

27
00:02:02,090 --> 00:02:06,620
‫One seven, two one six nine nine zero 24.

28
00:02:07,070 --> 00:02:13,280
‫As we talked about before, remember this is the IP address block from one seven two one six nine nine

29
00:02:13,520 --> 00:02:19,300
‫zero right the way through one seven two one six nine nine two five five.

30
00:02:19,310 --> 00:02:23,120
‫And let's give it a fast scan for just a top 50 ports.

31
00:02:23,600 --> 00:02:27,860
‫I use top ports parameter for this purpose and hit enter.

32
00:02:30,960 --> 00:02:32,400
‫Now, let's look at the scan results.

33
00:02:32,850 --> 00:02:38,910
‫Here we have the computers who have the IP addresses one seven two one six nine, nine point one and

34
00:02:38,910 --> 00:02:39,360
‫two.

35
00:02:40,290 --> 00:02:44,460
‫These are the Gateway and the DNS server for my virtual network VM.

36
00:02:44,850 --> 00:02:45,870
‫Ignore them for now.

37
00:02:46,770 --> 00:02:49,590
‫In fact, one is my host machine at the same time.

38
00:02:49,620 --> 00:02:53,430
‫Here there is a system and the open ports are in the top 50.

39
00:02:54,650 --> 00:02:58,310
‫Well, look, there's another machine and of course, it's open ports.

40
00:03:07,900 --> 00:03:14,020
‫The machine with IP 254 is the DHC server of my VM that so ignore that as well.

41
00:03:14,350 --> 00:03:17,410
‫And the last machine found is the collie itself.

42
00:03:18,400 --> 00:03:22,960
‫OK, let's open Wireshark and see what's happening when a Sen scan is performed.

43
00:03:24,020 --> 00:03:31,700
‫Run Wireshark first double click if zero to start to listen to that interface now to skip the packets,

44
00:03:31,700 --> 00:03:33,260
‫which we are not interested in.

45
00:03:33,680 --> 00:03:34,580
‫I had a filter.

46
00:03:35,180 --> 00:03:37,910
‫I only want to see the traffic for my destination computer.

47
00:03:38,180 --> 00:03:41,540
‫One seven two one six nine nine eight one three nine.

48
00:03:42,410 --> 00:03:44,690
‫And I want to see the TCP traffic only.

49
00:03:45,790 --> 00:03:49,060
‫Click the blue arrow next to the filter bar to activate the filter.

50
00:03:50,270 --> 00:03:52,340
‫OK, now go to the terminal screen.

51
00:03:53,450 --> 00:04:01,130
‫I'd like to analyze this in scan packets for an open port first one seven two one six nine nine one

52
00:04:01,130 --> 00:04:03,140
‫three nine is my destination system.

53
00:04:03,560 --> 00:04:07,040
‫And I know that Port 80 of that system is open.

54
00:04:08,300 --> 00:04:10,430
‫Hit, enter and run the map query.

55
00:04:10,940 --> 00:04:12,860
‫Yep, the port is open, just as I remember.

56
00:04:14,280 --> 00:04:15,780
‫So now go back to Wireshark.

57
00:04:16,710 --> 00:04:22,620
‫I want to stop Wireshark by clicking the Red Square, the upper left corner, to avoid unwanted packets.

58
00:04:22,920 --> 00:04:24,480
‫So here we have three packets.

59
00:04:25,380 --> 00:04:30,960
‫The first packet is from an arbitrary port of call to the 80th port of the system one three nine.

60
00:04:31,230 --> 00:04:35,790
‫The destination system it is a send packet to start the three way handshake.

61
00:04:36,960 --> 00:04:40,890
‫The second packet is a snack sent by the destination system.

62
00:04:41,760 --> 00:04:45,720
‫The third packet is a receipt sent by Colley because it's a sin scan.

63
00:04:46,290 --> 00:04:50,010
‫The three way handshake is not completed and corrupted by a risk packet.

64
00:04:51,030 --> 00:04:56,940
‫Now I restart the Wireshark packet, capturing to clean it screen by clicking the upper left blue button.

65
00:04:57,300 --> 00:05:01,680
‫OK, so this time I scanned a closed port, for example, Port 81.

66
00:05:05,710 --> 00:05:09,790
‫Now, the first packet is a SoundScan packet to start the three way handshake again.

67
00:05:10,540 --> 00:05:14,860
‫The sewer system is Carly and the destination system is again one three nine.

68
00:05:16,000 --> 00:05:21,850
‫The second packet is for the scan, a receipt packet because Port 81 is closed.

69
00:05:22,540 --> 00:05:25,180
‫The destination system sent us a receipt packet.

70
00:05:25,780 --> 00:05:28,660
‫Let's see how Nmap interprets the results of Sen Scan.

71
00:05:30,060 --> 00:05:36,450
‫When we send a send back, the destination system replies a snack packet to show that it's ready for

72
00:05:36,450 --> 00:05:36,960
‫a connection.

73
00:05:37,990 --> 00:05:43,540
‫And we send risk to corrupt the handshake and map interprets this result as.

74
00:05:45,080 --> 00:05:45,980
‫The port is open.

75
00:05:47,100 --> 00:05:52,110
‫If the destination system replies a receipt packet for our sign packet, that means.

76
00:05:53,570 --> 00:05:55,910
‫The board is accessible, but it's closed.

77
00:05:57,040 --> 00:06:00,280
‫If the destination system doesn't respond to our sin packet.

78
00:06:01,810 --> 00:06:04,630
‫And Matt thinks that the packet has dropped or filtered.

79
00:06:05,140 --> 00:06:07,240
‫It's a common behavior of the firewalls.

80
00:06:08,110 --> 00:06:15,460
‫If the destination system replies and ICMP unreachable packet for us in packet again, it's interpreted

81
00:06:15,460 --> 00:06:16,300
‫as filtered.

82
00:06:16,750 --> 00:06:18,730
‫This is another type of firewall behavior.