1
00:00:00,270 --> 00:00:06,540
‫One of the very first steps in any network reconnaissance mission is to reduce a set of IP ranges into

2
00:00:06,540 --> 00:00:14,070
‫a list of active or interesting hosts, scanning every port of every single IP address is slow and usually

3
00:00:14,070 --> 00:00:22,920
‫unnecessary in no port scan option using Essent option, which was known as Espie and previous releases,

4
00:00:23,640 --> 00:00:31,020
‫you tell and map not to do a port scan after host discovery and only print out the available hosts that

5
00:00:31,020 --> 00:00:33,300
‫responded to the host Discovery probes.

6
00:00:33,330 --> 00:00:35,760
‫This scan type is often known as a ping scan.

7
00:00:36,840 --> 00:00:43,170
‫Systems administrators often find this option valuable as well, it can easily be used to count available

8
00:00:43,170 --> 00:00:46,500
‫machines on a network or monitor server availability.

9
00:00:47,040 --> 00:00:53,430
‫This is often called a ping suite and is more reliable than pinging the broadcast address because many

10
00:00:53,430 --> 00:00:55,740
‫hosts do not reply to broadcast queries.

11
00:00:56,310 --> 00:01:00,810
‫The default host discovery done with SSN is executed by a privileged user.

12
00:01:01,290 --> 00:01:01,950
‫It sends.

13
00:01:02,860 --> 00:01:05,050
‫And ICMP Echo request.

14
00:01:06,080 --> 00:01:08,900
‫TCP, CINCPAC into Port 443.

15
00:01:09,860 --> 00:01:12,230
‫TCP backpack at the Port 80.

16
00:01:13,110 --> 00:01:16,530
‫And an ICMP time stamp request by default.

17
00:01:17,380 --> 00:01:24,790
‫When executed by an unprivileged user, only send packets are sent using a connect call deports 80 and

18
00:01:24,790 --> 00:01:31,210
‫443 on the target when a privileged user tries to scan targets on a local Ethernet network.

19
00:01:31,460 --> 00:01:35,380
‫Our requests are used unless send IP was specified.

20
00:01:36,210 --> 00:01:42,720
‫Let's perform the first unmap scans of the course using Bing scan, also known as no port scan and map,

21
00:01:42,960 --> 00:01:45,300
‫is embedded in Collie and defined in the path.

22
00:01:45,900 --> 00:01:50,520
‫So you can run and map from anywhere just by typing and map in a terminal screen.

23
00:01:50,790 --> 00:01:55,200
‫When you type in map and hit enter, you get the help page of the map.

24
00:01:55,620 --> 00:01:59,240
‫You can also look at the man page by typing men and map.

25
00:01:59,400 --> 00:02:00,170
‫To learn more.

26
00:02:00,510 --> 00:02:03,150
‫Let's build an end map command to perform a ping scan.

27
00:02:04,290 --> 00:02:10,590
‫After the command itself and map, I first add the parameter to define the scan type as ping scan.

28
00:02:11,540 --> 00:02:14,770
‫Note that the order of the parameters is not important in unmap.

29
00:02:15,890 --> 00:02:23,160
‫Now, enter the only mandatory parameter IP address here, ironer one seven two one six eight nine nine

30
00:02:23,330 --> 00:02:29,120
‫eight zero two for network gurus already know what it is, keeping it very simple.

31
00:02:29,120 --> 00:02:36,620
‫It means the IP address is between one seven two one six nine nine zero and one seven two one six eight

32
00:02:36,650 --> 00:02:38,540
‫nine nine to five five.

33
00:02:39,540 --> 00:02:42,090
‫That's not hit, enter and run the command.

34
00:02:45,110 --> 00:02:48,900
‫And the results are in, these are the hosts which are up.

35
00:02:49,610 --> 00:02:52,970
‫That means these are the systems that responded to our request.

36
00:02:53,900 --> 00:03:01,070
‫Remember, from the previous slide, our requests are ICMP Sin for Port four, four three, ACC Report

37
00:03:01,070 --> 00:03:03,830
‫80 and ICMP timestamp requests.

38
00:03:04,280 --> 00:03:10,160
‫If the user is privileged, the IP addresses or the domain names of the systems are spread across a

39
00:03:10,160 --> 00:03:10,550
‫line.

40
00:03:10,670 --> 00:03:11,570
‫In most cases.

41
00:03:11,570 --> 00:03:15,990
‫We want to see the IP addresses of the hosts as a list to use in further scans.

42
00:03:16,910 --> 00:03:22,370
‫So what can we do to see only the IP addresses of the live systems?

43
00:03:23,000 --> 00:03:26,780
‫Well, we're going to use the power of the Linux command show.

44
00:03:27,790 --> 00:03:33,400
‫First, let's clear some lines of the result which do not contain IP addresses, so I'll only have the

45
00:03:33,400 --> 00:03:36,540
‫lines of IP addresses to be able to do this.

46
00:03:36,850 --> 00:03:39,700
‫I'll use grep command with pipe.

47
00:03:40,570 --> 00:03:48,340
‫Copy a static part of the IP lines, for example, and map scam and give it as a parameter of grep command.

48
00:03:48,910 --> 00:03:50,230
‫Let me give you a little tip here.

49
00:03:50,230 --> 00:03:55,990
‫If you're using a mouse, select a string in the terminal screen and press the middle button of the

50
00:03:55,990 --> 00:03:58,360
‫mouse to copy and paste the selected part.

51
00:04:00,020 --> 00:04:03,170
‫Now we only have the lines which contain the IP addresses.

52
00:04:07,740 --> 00:04:13,470
‫But wait a second, we have a domain name of a host, let's get rid of the domain name and see only

53
00:04:13,470 --> 00:04:14,580
‫the IP address of it.

54
00:04:15,560 --> 00:04:22,350
‫And then map command and dash and parameter to avoid the name resolution, so a map will display only

55
00:04:22,350 --> 00:04:23,210
‫the IP address.

56
00:04:24,240 --> 00:04:26,220
‫Now we have the lines with IP addresses.

57
00:04:27,420 --> 00:04:32,460
‫Now the second step is to clear the words and the lines to have only the IP addresses.

58
00:04:33,480 --> 00:04:36,180
‫To do this, we'll use a cut command of the clinic show.

59
00:04:39,460 --> 00:04:44,530
‫Delimiter, here is the space character, give it with the D parameter.

60
00:04:48,680 --> 00:04:49,760
‫IP is the.

61
00:04:51,800 --> 00:04:55,670
‫Fifth field the line, give it with F. parameter.

62
00:04:56,600 --> 00:04:58,910
‫Now we have the IP list of the live hosts.