1
00:00:00,210 --> 00:00:05,550
‫Correct timing and then map scans is important for the accuracy and effectiveness of the scan.

2
00:00:06,800 --> 00:00:13,370
‫In the case of outside scans, it is usually preferable to use flow scans to avoid devices such as IPS

3
00:00:13,370 --> 00:00:19,280
‫and ideas, whereas in a scan from an internal network, quick scan options will be preferred.

4
00:00:20,320 --> 00:00:26,350
‫While a fine grained timing controls are powerful and effective, fortunately, and MAP offers a simple

5
00:00:26,350 --> 00:00:28,480
‫approach with six timing templates.

6
00:00:30,060 --> 00:00:36,210
‫You can specify them with the uppercase T option and their number zero through five or their name,

7
00:00:37,050 --> 00:00:46,740
‫the template names are paranoid zero, sneaky one polite to normal three, aggressive four and insane

8
00:00:46,950 --> 00:00:47,430
‫five.

9
00:00:47,610 --> 00:00:50,140
‫The first two are for yds.

10
00:00:50,160 --> 00:00:56,730
‫Evasion, polite mode slows down the scan to use less bandwidth and target machine resources.

11
00:00:57,640 --> 00:01:05,560
‫Normal mode is the default, and so T3 does nothing aggressive mode speed scan's up by making the assumption

12
00:01:05,830 --> 00:01:08,800
‫that you were on a reasonably fast and reliable network.

13
00:01:09,100 --> 00:01:15,280
‫Finally, insane mode assumes that you're on an extraordinarily fast network or you're willing to sacrifice

14
00:01:15,280 --> 00:01:16,510
‫some accuracy for speed.

15
00:01:17,860 --> 00:01:24,400
‫Max Retries option is to specify the maximum number of ports can probe retransmissions.

16
00:01:25,280 --> 00:01:32,480
‫When and receives no response to a port Schenn probe, it could mean that the port is filt, or maybe

17
00:01:32,480 --> 00:01:35,360
‫the prober response was simply lost on the network.

18
00:01:36,490 --> 00:01:41,880
‫It's also possible that the target host has rate limiting, enable that temporarily block the response.

19
00:01:42,550 --> 00:01:46,000
‫So and Matt tries again by retransmitting the initial probe.

20
00:01:46,630 --> 00:01:52,830
‫If Unmap detects poor network reliability, it may try many more times before giving up on a port.

21
00:01:53,710 --> 00:01:58,000
‫And while this benefits accuracy, it also lengthens scanned times.

22
00:01:58,420 --> 00:02:03,880
‫So when performance is critical, scan's may be sped up by limiting the number of retransmissions allowed.

23
00:02:04,510 --> 00:02:11,560
‫You can even specify Max Retries zero to prevent any retransmissions, though that's only recommended

24
00:02:11,560 --> 00:02:18,670
‫for situations such as informal surveys where occasional misreports and hosts are acceptable.

25
00:02:19,630 --> 00:02:25,930
‫The default with no uppercase t template is to allow 10 retransmissions.

26
00:02:26,890 --> 00:02:34,270
‫Host timeout is used to give up slow target, some hosts simply take a long time to scan.

27
00:02:34,690 --> 00:02:41,500
‫This may be due to poorly performing or unreliable networking hardware or software package rate limiting

28
00:02:41,500 --> 00:02:43,150
‫or restricted firewall.

29
00:02:43,930 --> 00:02:49,100
‫The slowest few percent of the scanned hosts can eat up a majority of the scanned time.

30
00:02:49,750 --> 00:02:53,950
‫Sometimes it's best to cut your losses and skip to those hosts initially.

31
00:02:54,890 --> 00:03:01,880
‫Specify host time out with a maximum amount of time, you're willing to wait, for example, specify

32
00:03:01,880 --> 00:03:06,470
‫30 minutes to ensure that and MAP doesn't waste more than half an hour on a single host.

33
00:03:07,320 --> 00:03:11,760
‫Note that any map may be scanning other hosts at the same time during that half an hour, so it's not

34
00:03:11,760 --> 00:03:12,780
‫a complete loss.

35
00:03:13,820 --> 00:03:20,750
‫And MAP utilizes parallelism and many advanced algorithms to accelerate the scans, especially in the

36
00:03:20,750 --> 00:03:27,410
‫case of external scans, it may be necessary to close the parallel scan, that is, to send a single

37
00:03:27,410 --> 00:03:30,080
‫packet to a server at the same time.

38
00:03:30,590 --> 00:03:34,880
‫And MAP utilizes different options for this purpose, as we saw just a few minutes ago.

39
00:03:35,090 --> 00:03:42,950
‫You can manage the timing using uppercase t option if you use the templates zero paranoid, one sneaky

40
00:03:42,950 --> 00:03:45,920
‫or too polite parallelization is closed.

41
00:03:46,270 --> 00:03:52,790
‫That means these templates serialize is the scan, so only one board is scanned at a time scan, delay

42
00:03:52,790 --> 00:04:00,050
‫option courses and map to wait at least the given amount of time between each probe it sends to a given

43
00:04:00,050 --> 00:04:00,440
‫host.

44
00:04:01,370 --> 00:04:04,550
‫This is particularly useful in the case of rape limiting.

45
00:04:05,380 --> 00:04:13,120
‫Solaris machines, among many others, will usually respond to UDP scan probe packets with only one

46
00:04:13,120 --> 00:04:18,310
‫ICMP message per second, any more than that sent by unmap will be wasteful.

47
00:04:18,760 --> 00:04:22,990
‫Scan delay of one second will keep and map at that slow rate.

48
00:04:23,880 --> 00:04:29,970
‫And Matt tries to detect rate limiting and a the scandal delay according, but it doesn't hurt to specify

49
00:04:29,970 --> 00:04:33,150
‫it explicitly if you already know what rate works best.

50
00:04:33,450 --> 00:04:40,710
‫OK, so by default and map calculate an ever changing ideal parallelism based on network performance.

51
00:04:41,250 --> 00:04:48,450
‫The Max Parallelism option is sometimes set to one to prevent and map from sending more than one probe

52
00:04:48,450 --> 00:04:49,740
‫at a time to hosts.

53
00:04:51,120 --> 00:04:58,200
‫And MAP has the ability to scan or a version scan multiple hosts in parallel and map does this by dividing

54
00:04:58,200 --> 00:05:02,490
‫the target IP space into groups and then scanning one group at a time.

55
00:05:03,400 --> 00:05:10,710
‫What a maximum group size is specified with Max, host, group and map will never exceed that size.

56
00:05:11,440 --> 00:05:17,230
‫So if you specify maximum number of hosts in a group as one using max hosts group option.

57
00:05:18,240 --> 00:05:23,080
‫There will be only one host in the group and only one host will be scanned at a time.

58
00:05:23,460 --> 00:05:27,990
‫So what do you reckon the difference is between the Max parallelism and the Max host group?

59
00:05:28,660 --> 00:05:29,250
‫Did you see it?

60
00:05:30,490 --> 00:05:36,750
‫When you set Max parallelism to one end map sends only one packet to a host at a time.

61
00:05:37,570 --> 00:05:43,930
‫When you said Max host group to one and map scans only one host at a time.