1 00:00:00,000 --> 00:00:04,639 Are you tired of constantly wondering how to use Nmap and what it is capable of? 2 00:00:04,639 --> 00:00:09,439 Well, worry no more! In this comprehensive guide, I'm gonna take you through everything 3 00:00:09,439 --> 00:00:13,679 you need to know about Nmap, from the basics to the more advanced features. 4 00:00:13,679 --> 00:00:17,359 By the end of this video, you will never have to ask again about Nmap, 5 00:00:17,359 --> 00:00:22,080 you just become pro after this video. This video isn't just your average watch, 6 00:00:22,080 --> 00:00:27,679 it's a full-fledged Nmap expedition. Grab your learning gear because we're diving deep. 7 00:00:27,679 --> 00:00:32,079 If you're not prepared to unleash your inner detective, this might not be the video for you. 8 00:00:32,960 --> 00:00:35,280 Alright, let's start with the foundation of Nmap. 9 00:00:36,719 --> 00:00:42,719 Picture this. Back in the day, the genius Gordon Lyon, Aka Fyodor, dropped the bomb that is Nmap 10 00:00:42,719 --> 00:00:49,039 in the legendary pages of Frac Magazine Vol. 7 issue 51. You can still catch the vibes of 11 00:00:49,039 --> 00:00:54,640 its inception at their website. Fast forward to today, and Nmap is still stealing the spotlight 12 00:00:54,640 --> 00:00:58,640 as one of the holy grails in network reconnaissance and cybersecurity auditing. 13 00:00:59,280 --> 00:01:03,920 It all started as a bang-up port scanner, blowing minds with groundbreaking techniques 14 00:01:03,920 --> 00:01:09,840 for port discovery. But oh my friends, it didn't stop there. Nmap has evolved into a family of 15 00:01:09,840 --> 00:01:15,920 rockstar networking tools, featuring headliners like NCrack, the rockstar of network authentication 16 00:01:15,920 --> 00:01:20,159 cracking, jamming out support for all your favorite applications and protocols. 17 00:01:20,799 --> 00:01:25,840 Then we've got NCat, the upgraded version of Netcat on steroids, rocking encryption out of 18 00:01:25,840 --> 00:01:32,239 the box and getting all fancy with Lua scripts. But wait, there's more! Enter Nping, the maestro 19 00:01:32,239 --> 00:01:37,599 of custom network packet crafting for all your diagnostics and troubleshooting needs. And let's 20 00:01:37,599 --> 00:01:44,000 not forget ZenMap, the cross-platform GUI for Nmap, where usability meets sophistication. 21 00:01:44,000 --> 00:01:49,039 And in the heart of it all, we've got the Nmap scripting engine NSEA Game Changer. 22 00:01:49,040 --> 00:01:53,600 It snatches up intel from scanned targets and hands you the power to script additional 23 00:01:53,600 --> 00:01:59,280 tasks using Lua. It's like having a cyber wizard at your fingertips, weaving magic spells in the 24 00:01:59,280 --> 00:02:05,200 world of networking. Before delving into the Nmap, it's crucial to grasp the following concepts. 25 00:02:06,000 --> 00:02:12,080 Firewalls, routers, proxy servers, and other security devices can influence Nmap scan results. 26 00:02:12,719 --> 00:02:17,920 Scanning remote hosts outside your local network may yield misleading information due to these 27 00:02:17,920 --> 00:02:24,800 factors. Certain scanning options necessitate elevated privileges. On Unix and Linux systems, 28 00:02:24,800 --> 00:02:29,600 you might need to log in as the root user or execute Nmap using the sudo command. 29 00:02:30,720 --> 00:02:34,720 Alongside these considerations, it's essential to heed the following warnings. 30 00:02:35,440 --> 00:02:40,240 Scanning networks without proper authorization can lead to repercussions with your internet service 31 00:02:40,240 --> 00:02:45,680 provider, law enforcement, and potentially government entities. Avoid scanning sensitive 32 00:02:45,680 --> 00:02:51,520 sites like FBI or Secret Service websites unless you want legal trouble. Aggressively 33 00:02:51,520 --> 00:02:56,960 scanning certain systems may induce crashes, resulting in undesirable outcomes such as system 34 00:02:56,960 --> 00:03:02,319 downtime and data loss. Exercise caution when scanning mission-critical systems. 35 00:03:02,879 --> 00:03:06,319 Approach each scan with the awareness of potential consequences. 36 00:03:07,600 --> 00:03:13,360 Installing Nmap. Unlocking the full potential of Nmap goes beyond the default pre-installation 37 00:03:13,360 --> 00:03:19,520 in Kali Linux. Let's take control and elevate our capabilities by installing Nmap from the source 38 00:03:19,520 --> 00:03:25,280 code. Why source code, you ask? Well, my friends, let's talk about the beauty of installing Nmap 39 00:03:25,280 --> 00:03:30,560 straight from the source. You see, when you embark on the journey of building Nmap from the raw, 40 00:03:30,560 --> 00:03:35,120 unfiltered source code, you're opening the door to a realm of possibilities. 41 00:03:35,120 --> 00:03:39,120 The first perk, my friends, is the allure of the latest and greatest features. 42 00:03:39,759 --> 00:03:43,920 By immersing yourself in the source code, you get to bask in the glory of the freshest 43 00:03:43,920 --> 00:03:49,360 functionalities and the sweet nectar of bug fixes. It's like sipping on the elixir of progress. 44 00:03:53,520 --> 00:03:58,640 Imagine having the power to tailor Nmap to your heart's desire. Enable what you need, 45 00:03:58,640 --> 00:04:03,200 disable what you don't. It's a dance of options, a symphony of choice, 46 00:04:03,200 --> 00:04:09,040 all at the tip of your command line. Building Nmap from source takes a little extra work, 47 00:04:09,039 --> 00:04:13,120 but is well worth the effort to get the new features in Nmap's latest release. 48 00:04:14,879 --> 00:04:19,439 Precompiled Nmap packages can be found for all major platforms at this page, 49 00:04:19,439 --> 00:04:23,599 for those who do not feel like setting up the build environment. When working with 50 00:04:23,599 --> 00:04:28,639 precompiled packages, just make sure that you grab the latest version to avoid missing important 51 00:04:28,639 --> 00:04:34,319 fixes or enhancements. This is especially important with Windows and the NPcap driver, 52 00:04:34,319 --> 00:04:36,639 which has gone through some serious improvements. 53 00:04:37,920 --> 00:04:42,800 Before we proceed, let's ensure that Subversion is installed on your Kali Linux. 54 00:04:42,800 --> 00:04:47,839 Kali typically comes pre-installed with Subversion, so you need not worry. Simply 55 00:04:47,839 --> 00:04:54,079 open the terminal and type SVN. As you can see it's already installed, as it should be, 56 00:04:54,079 --> 00:04:58,639 you'll see the familiar commands. If in some cases it's not installed, don't fret. 57 00:04:59,360 --> 00:05:04,560 Kali will prompt you to install it. Just type Y, and it will seamlessly install for you. 58 00:05:05,919 --> 00:05:11,599 The Subversion repository, hosted at this link, contains the latest development version of Nmap 59 00:05:11,599 --> 00:05:15,839 and has world-read access that allows anyone to grab a copy of the source code. 60 00:05:16,639 --> 00:05:22,800 The installation process described in this recipe also installed Ncat, Zenmap, Ndiff, and Nping. 61 00:05:23,759 --> 00:05:28,800 As we embark on this journey, building Nmap requires additional libraries like the development 62 00:05:28,800 --> 00:05:34,720 definition from Open's SSL and the make command. Execute the following command to install the 63 00:05:34,720 --> 00:05:42,720 necessary dependencies. It's important to note that while Open SSL is optional, its absence may 64 00:05:42,720 --> 00:05:49,840 cripple Nmap functionality. Nmap relies on OpenSSL for vital functions such as integers, hashing, 65 00:05:50,080 --> 00:05:56,240 and encoding and decoding SSL requests, crucial for both service detection and the Nmap scripting 66 00:05:56,240 --> 00:06:10,000 engine. Having completed the preliminary steps, we are now set to install Nmap from the source 67 00:06:10,000 --> 00:06:17,360 code. First things first, type the following command. SVNCONNMAP source code link. 68 00:06:19,680 --> 00:06:22,720 This command initiates the download and listing of files. 69 00:06:29,360 --> 00:06:33,600 Once it completes, you'll receive a message indicating that a new directory containing 70 00:06:33,600 --> 00:06:39,040 the source code is now available in your current working directory. Assuming you've installed all 71 00:06:39,040 --> 00:06:45,360 the necessary dependencies, you're now ready to compile Nmap. Navigate to the directory by typing 72 00:06:46,240 --> 00:06:53,680 cd nmap. 73 00:07:03,040 --> 00:07:09,680 For a complete list of configuration directives, use the help command argument . slash configure help. 74 00:07:15,360 --> 00:07:26,240 Then execute the configuration command . slash configure. 75 00:07:27,759 --> 00:07:35,680 This command initiates the configuration process. Be patient for a few minutes. 76 00:07:45,360 --> 00:08:09,680 Upon successful completion of the configuration, you should see a message indicating so. 77 00:08:16,080 --> 00:08:24,960 Now it's time to compile Nmap. Simply type mk. This will compile Nmap, 78 00:08:24,960 --> 00:08:28,560 and you'll be ready to utilize its enhanced capabilities on your system. 79 00:08:34,800 --> 00:08:40,639 Oh no, we got error. No worries after some diligent research, we've found a solution. 80 00:08:41,439 --> 00:08:46,639 To fix this issue, simply downgrade the setup tools version by typing the following command. 81 00:08:49,279 --> 00:08:58,960 Now let's give it another shot. Type make install. 82 00:09:04,240 --> 00:09:09,279 Upon successful completion, you'll receive a message confirming that Nmap has been installed. 83 00:09:10,799 --> 00:09:15,279 You're now all set to unleash the power of Nmap across your entire system. 84 00:09:15,279 --> 00:09:18,960 Now that we've successfully compiled Nmap, we are all set to roll. 85 00:09:19,679 --> 00:09:23,919 If, for instance, you wish to open ZennMap, follow these simple steps. 86 00:09:24,799 --> 00:09:33,679 Navigate to the ZennMap directory by entering cd zennmap. Then execute zennmap by typing . slash 87 00:09:33,680 --> 00:09:45,760 zennmap. You're now ready to explore the powerful features of ZennMap on your system. 88 00:09:45,760 --> 00:09:54,720 You can use others too like this, but Nmap is ready to go. 89 00:10:03,680 --> 00:10:16,960 If you want to try the latest creations of the development team, there is a folder named 90 00:10:16,960 --> 00:10:21,280 Nmap EXP that contains several experimental branches of the project. 91 00:10:21,840 --> 00:10:27,600 The code stored in this folder is not guaranteed to work all the time as it is used as a sandbox 92 00:10:27,600 --> 00:10:32,480 buy. Developers, although some hidden gems can be found there from time to time, 93 00:10:32,480 --> 00:10:34,639 these branches are located at this website. 94 00:10:39,120 --> 00:10:44,000 Okay now we are good to start scanning, but if you want to install Nmap on your windows, 95 00:10:44,000 --> 00:10:48,000 it is so simple I will put a link on description you can download it from there. 96 00:10:55,200 --> 00:11:00,320 Now let's embark on the Nmap journey, progressing from the basics to advanced techniques. 97 00:11:00,400 --> 00:11:05,360 Let's kick things off with a straightforward scan, no fancy Nmap options involved. 98 00:11:05,360 --> 00:11:10,560 Before we embark on this journey, it's essential to clarify that my target is my windows virtual 99 00:11:10,560 --> 00:11:16,400 machine. Additionally, the scanme insecure org server serves as a common example target 100 00:11:16,400 --> 00:11:21,040 frequently used throughout this video. It's worth noting that this particular system is 101 00:11:21,040 --> 00:11:28,560 graciously hosted by the Nmap project. In the sacred realm of command line 102 00:11:28,560 --> 00:11:34,800 incantations, seek enlightenment and guidance with a venerable Nmap. Behold, the mystic symbols 103 00:11:34,800 --> 00:11:42,720 H shall reveal unto you a summary of the available incantations. Nmap H. But lo, 104 00:11:42,720 --> 00:11:46,880 should your thirst for knowledge remain unquenched, delve deeper into the arcane 105 00:11:46,880 --> 00:11:52,640 teachings of Nmap. Utter the sacred invocation to open the manual and partake in the wisdom 106 00:11:52,639 --> 00:11:59,439 it bestows upon the worthy. Man Nmap. In the sacred scrolls of the manual page, 107 00:11:59,439 --> 00:12:04,799 you shall find a wealth of knowledge, revealing the secrets and nuances of Nmap's mystical powers. 108 00:12:11,840 --> 00:12:16,159 The capital V option in Nmap is used to display the installed version of the tool. 109 00:12:16,720 --> 00:12:21,120 It can be helpful for troubleshooting and ensuring that you are using the latest version, 110 00:12:21,200 --> 00:12:26,799 which may include bug fixes and new features. To use this option, you can run the following 111 00:12:26,799 --> 00:12:33,519 command in your terminal or command prompt. Nmap capital V. This command will display 112 00:12:33,519 --> 00:12:38,639 information about the Nmap version installed on your system. If you encounter any issues, 113 00:12:38,639 --> 00:12:42,480 or if you want to stay updated with the latest features and bug fixes, 114 00:12:42,480 --> 00:12:46,720 it's a good practice to check the official Nmap website for the most recent version. 115 00:12:51,120 --> 00:12:56,560 The small v option in Nmap is used to enable verbose output, providing more detailed information 116 00:12:56,560 --> 00:13:01,840 during the scanning process. It can be helpful for troubleshooting connectivity issues and gaining 117 00:13:01,840 --> 00:13:07,360 insights into the scan's progress. To use this option, you can run the following command in your 118 00:13:07,360 --> 00:13:15,039 terminal or command prompt. Nmap small v your target. This command will perform a scan on the 119 00:13:15,839 --> 00:13:22,879 specified target with verbose output enabled. If you want even more detailed information, 120 00:13:22,879 --> 00:13:28,719 you can use the option multiple times, such as Nmap small v your target. 121 00:13:30,079 --> 00:13:34,959 This will increase the verbosity level and provide additional details about the scanning process. 122 00:13:34,960 --> 00:13:48,240 Embarking on a targeted exploration. Executing Nmap without any command line options initiates 123 00:13:48,240 --> 00:13:54,400 a fundamental scan on the specified target, which can be denoted by an IP address or host name. 124 00:13:54,400 --> 00:14:01,600 Just type Nmap your target. What happens next? Nmap, the wizard of network probing, 125 00:14:01,600 --> 00:14:08,639 systematically scans the 1000 most common TCP IP ports. Now, each port responding to its probing 126 00:14:08,639 --> 00:14:15,040 reveals its secrets, falling into one of these six intriguing states. Open. It's like a neon sign 127 00:14:15,040 --> 00:14:22,000 saying, come on in. A service is actively awaiting connections on this port. Closed. Probes were 128 00:14:22,000 --> 00:14:26,960 received, but it's like knocking on a door with no one home, no service is running on this port. 129 00:14:27,680 --> 00:14:34,080 Filtered. The mysterious cloak. No signs of probes, no established state. Something's 130 00:14:34,080 --> 00:14:40,480 filtering those signals could be a security wizard at play. Unfiltered. Probes were received, 131 00:14:40,480 --> 00:14:47,440 but a clear state remains elusive. The plot thickens. Open and filtered. A tantalizing blend 132 00:14:47,440 --> 00:14:53,120 of possibility. The port might be open or filtered, but the exact state remains a bit elusive. 133 00:14:54,080 --> 00:14:58,879 Closed and filtered. A double mystery. The port is either closed or filtered, 134 00:14:58,879 --> 00:15:04,799 but the precise state continues to play hide and seek. So with this voyage through port states, 135 00:15:04,799 --> 00:15:08,320 Nmap unveils the secrets of your target's service landscape. 136 00:15:13,279 --> 00:15:19,360 Exploring multiple targets. Nmap has your back. The simplest way to achieve this is by stringing 137 00:15:19,360 --> 00:15:24,720 together the target IP addresses or host names on the command line, separated by spaces. 138 00:15:35,680 --> 00:15:41,919 Ready to scan a whole subnet? Nmap makes it easy by using CIDR classless inter-domain routing 139 00:15:41,920 --> 00:15:51,600 notation. Just type nmap networkip slash CIDR. This command directs Nmap to scan the entire IP 140 00:15:51,600 --> 00:15:58,080 address network, leveraging CIDR notation. CIDR notation is a compact representation 141 00:15:58,080 --> 00:16:03,280 of the network address and subnet mask in binary bits, conveniently separated by a slash. 142 00:16:11,920 --> 00:16:21,760 To scan a range of IP addresses, simply type nmap range of IP addresses. 143 00:16:23,680 --> 00:16:35,280 This allows Nmap to target a specified range of IP addresses for thorough scanning. 144 00:16:35,919 --> 00:16:43,279 To scan a list of targets efficiently, you can create a text file, for example, 145 00:16:43,279 --> 00:16:48,480 IP.txt containing the IP addresses or host names of the systems you want to scan. 146 00:16:49,279 --> 00:16:55,279 Each entry in the file should be separated by a space, tab, or new line. For instance, 147 00:16:55,279 --> 00:17:01,360 if your file IP.txt contains a list of IP addresses, you can initiate the scan by typing 148 00:17:02,080 --> 00:17:10,720 nmap i, capital L, IP.txt. The i-L parameter is crucial here, as it instructs Nmap to extract 149 00:17:10,720 --> 00:17:16,160 the list of targets from the specified file. This scan will be executed individually for 150 00:17:16,160 --> 00:17:22,720 each host mentioned in the file, allowing for a comprehensive assessment of multiple systems. 151 00:17:32,320 --> 00:17:38,880 To fine-tune your scans, Nmap offers the Exclude option, allowing you to omit 152 00:17:38,880 --> 00:17:45,520 specific hosts during a scan. For instance, Nmap your target's exclude target. 153 00:17:47,200 --> 00:17:51,440 This option proves valuable when dealing with a substantial number of addresses, 154 00:17:51,440 --> 00:17:57,600 enabling you to selectively exclude certain hosts. The Exclude option accommodates single hosts, 155 00:17:57,679 --> 00:18:01,759 ranges, or entire network blocks. 156 00:18:21,839 --> 00:18:27,439 Additionally, you can leverage the Exclude File option, which functions similarly to Exclude, 157 00:18:27,440 --> 00:18:31,440 but allows you to provide a list of targets to be excluded from the network scan. 158 00:18:32,080 --> 00:18:36,799 For example, Nmap your target's exclude file, your file name. 159 00:18:38,559 --> 00:18:44,400 In this scenario, the targets listed in the IP.txt file will be excluded from the scan, 160 00:18:44,400 --> 00:18:47,600 providing flexibility in tailoring your scanning parameters. 161 00:18:47,600 --> 00:18:48,640 Network Interface Selection 162 00:18:53,120 --> 00:18:58,240 When it comes to network interface selection, Nmap usually does a great job of automatically 163 00:18:58,240 --> 00:19:03,840 detecting your active interface. However, there are situations where it might encounter challenges, 164 00:19:03,840 --> 00:19:09,040 where you specifically need to choose a different interface to address networking issues. In such 165 00:19:09,040 --> 00:19:14,800 cases, you can utilize the E argument to instruct Nmap to scan using a particular network interface. 166 00:19:15,759 --> 00:19:18,079 Nmap-E-Interface-Target 167 00:19:20,159 --> 00:19:23,359 This becomes necessary when dealing with broadcast scripts, 168 00:19:23,359 --> 00:19:28,319 or if you come across the warning message, warning, unable to find appropriate interface 169 00:19:28,319 --> 00:19:34,159 for system route 2. By specifying the interface, you can overcome these challenges and ensure 170 00:19:34,159 --> 00:19:43,039 a more accurate and targeted scan. Venturing into the realm of IPv6, 171 00:19:43,759 --> 00:19:49,119 Nmap has you covered with the 6 parameter designed for scanning IP version 6 targets. 172 00:19:51,359 --> 00:19:54,480 For instance, Nmap-6-Target 173 00:19:55,680 --> 00:20:00,079 Executing this command unveils the results of scanning an IPv6 target. 174 00:20:00,639 --> 00:20:06,399 It's worth noting that while most Nmap options seamlessly support IPv6, there are exceptions. 175 00:20:07,120 --> 00:20:11,040 Multiple target scanning using ranges and CIDR, for example, 176 00:20:11,040 --> 00:20:13,759 is rendered pointless in IPv6 networks. 177 00:20:18,640 --> 00:20:24,080 Fancy a roll of the dice in cyberspace? Nmap's got you covered with the IR parameter, 178 00:20:24,080 --> 00:20:31,440 allowing you to scan random internet hosts. For instance, Nmap-R-Number of targets 179 00:20:32,000 --> 00:20:36,960 Executing this command prompts Nmap to randomly generate a specified number of targets and scan 180 00:20:36,960 --> 00:20:42,320 them. While it might be an interesting exercise for research purposes or sheer curiosity, 181 00:20:42,320 --> 00:20:47,039 it's crucial to note that conducting frequent and aggressive random scans could potentially 182 00:20:47,039 --> 00:20:51,920 lead to issues with your internet service provider. So, proceed with caution unless 183 00:20:51,920 --> 00:20:53,840 you're working on a research project. 184 00:20:53,839 --> 00:20:57,679 Unleash the power of understanding port states with this special command. 185 00:20:58,639 --> 00:21:00,639 Nmap-Reason your target 186 00:21:01,679 --> 00:21:06,559 When you run this, you'll notice a new Reason field in the results. It's like a decoder 187 00:21:06,559 --> 00:21:11,759 revealing the secrets behind why each port is in its current state, whether it's open, closed, 188 00:21:11,759 --> 00:21:17,199 or filtered by a firewall. Think of it as your magical guide, helping you make sense of what 189 00:21:17,360 --> 00:21:28,799 the hidden forces within the realm of network exploration are. May your scanning journey be 190 00:21:28,799 --> 00:21:40,960 clear and full of revelations. Simplify your scan results with the power of focus. 191 00:21:41,600 --> 00:21:43,039 Nmap-Open your target 192 00:21:43,599 --> 00:21:44,799 Nmap-Packet Trace your target 193 00:21:44,799 --> 00:21:49,599 By using the open parameter, you tell Nmap to cut through the noise and show only the open 194 00:21:49,599 --> 00:21:54,799 ports. It's like a spotlight in the darkness, revealing the crucial entry points and keeping 195 00:21:54,799 --> 00:22:05,119 your results clear and concise. Uncover the secrets of network communication with the 196 00:22:05,119 --> 00:22:09,519 packet trace magic. Nmap-Packet Trace your target 197 00:22:09,599 --> 00:22:11,599 Nmap-Packet Trace your target 198 00:22:11,599 --> 00:22:17,440 By using packet trace, Nmap reveals a detailed log of every packet's journey sent and received. 199 00:22:18,079 --> 00:22:22,079 It's your backstage pass to the network performance, perfect for troubleshooting 200 00:22:22,079 --> 00:22:26,000 connectivity hiccups. Nmap-Packet Trace your target 201 00:22:26,000 --> 00:22:31,119 Alright, let's delve into the myriad of port scanning options that Nmap has to offer. 202 00:22:31,119 --> 00:22:38,559 In the vast expanse of TCPIP ports, totaling 131,070 Nmap in its default mode, 203 00:22:38,559 --> 00:22:44,159 meticulously scans just 1000 of the most frequently utilized ports. This strategic 204 00:22:44,159 --> 00:22:49,279 selection optimizes scanning efficiency, especially when dealing with multiple targets, 205 00:22:49,279 --> 00:22:52,879 as the ports beyond the top 1000 are typically less traversed. 206 00:22:53,919 --> 00:22:58,559 However, there are scenarios where venturing beyond the default range becomes crucial whether 207 00:22:58,559 --> 00:23:03,679 to unveil uncommon services or to trace ports redirected to alternative locations. 208 00:23:04,400 --> 00:23:09,039 This section unfolds the options that grant you the power to extend your scans into different 209 00:23:09,039 --> 00:23:14,160 port territories and explores various features tailored for port-specific investigations. 210 00:23:14,720 --> 00:23:18,560 Let's unravel the possibilities that lie beyond the customary port limits. 211 00:23:22,240 --> 00:23:28,000 To kick things off with a swifter approach, the F option in Nmap is your ticket to a speedy scan, 212 00:23:28,000 --> 00:23:30,799 focusing solely on the 100 most prevalent ports. 213 00:23:31,440 --> 00:23:36,400 Here's how to unleash this rapid exploration. Nmap-F your target 214 00:23:38,079 --> 00:23:44,480 While Nmap, by default, meticulously examines the top 1000 commonly used ports, the F option 215 00:23:44,480 --> 00:23:50,720 strategically trims that list down to 100. This not only dramatically accelerates your scanning pace, 216 00:23:50,720 --> 00:23:55,039 but also ensures that you're still capturing the essence of the most commonly used ports. 217 00:23:55,680 --> 00:23:59,119 It's a powerful trade-off between speed and comprehensiveness 218 00:23:59,119 --> 00:24:01,440 designed to optimize your scanning experience. 219 00:24:05,119 --> 00:24:10,000 Intricate world of port scanning, the P option in Nmap acts as your guiding light, 220 00:24:10,000 --> 00:24:13,680 allowing you to pinpoint and scrutinize specific ports with finesse. 221 00:24:14,399 --> 00:24:19,839 Let's unravel the possibilities. Nmap-P, port that you want, then your target. 222 00:24:20,000 --> 00:24:24,000 For instance, the command above harnesses P to hone in on port 80. 223 00:24:24,000 --> 00:24:29,439 But why stop there? The P option goes beyond solitary pursuits, you can explore multiple 224 00:24:29,439 --> 00:24:36,000 individual ports separated by commas or even a captivating range of ports. Witness the flexibility. 225 00:24:37,039 --> 00:24:42,000 Nmap-P, port 1, port 2, etc. or range of ports your target. 226 00:24:42,000 --> 00:24:45,680 Yet, the P option doesn't merely stop at numerical values, 227 00:24:45,680 --> 00:24:51,680 it embraces the eloquence of port names. Nmap-P, port names your target. 228 00:25:12,640 --> 00:25:16,799 As illustrated, you can seek open ports by name, 229 00:25:16,799 --> 00:25:21,519 where the specified names must align with a service listed in the Nmap services file. 230 00:25:23,920 --> 00:25:28,880 In the symphony of port scanning options, the P option in Nmap reveals yet another note, 231 00:25:28,880 --> 00:25:35,519 the wildcard asterisk. This wildcard, when employed with P, becomes a powerful tool to scan 232 00:25:35,519 --> 00:25:43,279 all 65 EIN 535 TCP IP ports on the target of your choice. Nmap-P asterisk your target. 233 00:25:44,960 --> 00:25:49,920 Crucially, the use of double quotes is imperative to encapsulate the wildcard statement, 234 00:25:49,920 --> 00:25:53,359 preventing your system from misinterpreting it as a shell wildcard. 235 00:25:54,000 --> 00:25:59,839 This ensures precision in your command execution. In essence, this command is an invocation to 236 00:25:59,839 --> 00:26:05,039 explore every nook and cranny of the target's port landscape, an all-encompassing journey into 237 00:26:05,039 --> 00:26:10,879 the entire spectrum of TCP IP ports. Embarking on the intricate journey of port scanning, 238 00:26:10,879 --> 00:26:16,480 the P option in Nmap stands as a versatile ally. Its capabilities extend to scanning 239 00:26:16,480 --> 00:26:21,440 ports based on specific protocols introducing a nuanced approach to your exploration. 240 00:26:22,159 --> 00:26:28,240 Imagine this scenario, a craving for a meticulous examination of both UDP and TCP ports. 241 00:26:28,880 --> 00:26:36,480 Enter the command. Nmap-S us TPU53T25 your target. 242 00:26:38,319 --> 00:26:44,799 Here, Nmap, by default, tends to focus solely on TCP ports. To broaden your scope and encompass 243 00:26:44,799 --> 00:26:51,279 both TCP and UDP ports, additional scan types like SU and ST need to be activated a topic 244 00:26:51,279 --> 00:26:57,200 we'll delve into in an upcoming section. This command orchestrates a symphony of exploration, 245 00:26:57,200 --> 00:27:04,400 executing a UDP scan on port 53 and a TCP scan on port 25. It's a masterful blend of 246 00:27:04,400 --> 00:27:09,039 precision and protocol-specific scrutiny, unraveling the mysteries concealed within 247 00:27:09,039 --> 00:27:14,160 each port and protocol combination. In the expansive realm of port scanning, 248 00:27:14,160 --> 00:27:16,400 the P option remains a steadfast guide. 249 00:27:22,960 --> 00:27:25,759 Traversing the intricate landscape of port scanning, 250 00:27:25,759 --> 00:27:30,559 the top ports option in Nmap becomes a crucial tool, allowing you to define the 251 00:27:30,559 --> 00:27:35,839 number of top-ranked ports for a meticulous exploration. Nmap, top ports, 252 00:27:35,839 --> 00:27:38,799 number of top ports that you want to scan, then your target. 253 00:27:40,400 --> 00:27:45,920 By default, Nmap sets its sights on the vast sea of the 1,000 most commonly used ports, 254 00:27:45,920 --> 00:27:51,440 a number curtailed to a nimble 100 with the F option. However, with the top ports option, 255 00:27:51,519 --> 00:27:56,160 you take the helm, determining the specific quantity of top-ranked ports to scrutinize. 256 00:27:56,960 --> 00:28:03,840 Nmap, top ports 10, your target. In this command, observe the top ports option in action, 257 00:28:03,840 --> 00:28:09,759 guiding Nmap to inspect the top 10 ports. Yet, the true strength lies in your hands, 258 00:28:09,759 --> 00:28:11,360 any number can be specified. 259 00:28:16,080 --> 00:28:20,799 Embarking on a methodical exploration of port scanning, the R option in Nmap 260 00:28:20,799 --> 00:28:25,519 unveils the capability to perform a sequential port scan on the designated target. 261 00:28:26,079 --> 00:28:32,960 For instance, Nmap, R, your target. Nmap's default scanning algorithm orchestrates a 262 00:28:32,960 --> 00:28:38,079 random order for port scans, a strategic maneuver to evade firewalls and intrusion 263 00:28:38,079 --> 00:28:44,079 prevention systems. However, the R parameter serves as a directive, overriding this randomness 264 00:28:44,079 --> 00:28:48,079 and guiding Nmap to systematically seek open ports in numerical order. 265 00:28:48,720 --> 00:28:52,399 To enhance your understanding, consider combining the V option with R. 266 00:28:53,199 --> 00:28:59,759 Nmap, V, R, your target. This combination provides a real-time display of the sequential 267 00:28:59,759 --> 00:29:03,919 port discovery, unraveling the exploration process as it unfolds. 268 00:29:06,480 --> 00:29:10,399 Alright guys, those was basic scanning technique, and with no options, 269 00:29:10,399 --> 00:29:14,960 it not good scanning techniques, but I just want to show you some basic for starting to scan. 270 00:29:15,759 --> 00:29:19,840 The default discovery options aren't useful when scanning secured systems, 271 00:29:19,840 --> 00:29:24,640 and can hinder scanning progress. Now let's delve into some foundational scanning 272 00:29:24,640 --> 00:29:31,920 techniques with a touch of advanced exploration. Let's take a detour from the default. 273 00:29:32,559 --> 00:29:36,640 Ordinarily, before Nmap delves into scanning a system's open ports, 274 00:29:36,640 --> 00:29:39,840 it initiates a quick ping to check if the target is online. 275 00:29:40,640 --> 00:29:45,680 This smart move helps expedite the scanning process by skipping non-responsive targets. 276 00:29:46,400 --> 00:29:51,120 Now, if you want to skip the default discovery check and go for a comprehensive port scan, 277 00:29:51,120 --> 00:29:55,520 you can use Nmap, P, N, your target. 278 00:29:57,840 --> 00:30:01,760 The PN option tells Nmap to forego the default discovery step, 279 00:30:01,760 --> 00:30:07,200 which is particularly handy when dealing with hosts protected by firewalls that block ping probes. 280 00:30:10,800 --> 00:30:16,800 Sometimes you just want to say hello with a ping. The S, P option in Nmap lets you do just that. 281 00:30:17,920 --> 00:30:20,240 Nmap S, capital P, your target. 282 00:30:22,080 --> 00:30:25,120 This option is handy when you're on a reconnaissance mission, 283 00:30:25,120 --> 00:30:29,760 seeking a quick overview of the online hosts in your target network without delving into 284 00:30:29,760 --> 00:30:38,560 the intricacies of port scanning. For instance, Nmap S, capital P, 10, 0, 2, 0, slash, 24. 285 00:30:40,800 --> 00:30:47,200 In this example, Nmap pings all 254 addresses in the 10.0.2.0 subnet, 286 00:30:47,200 --> 00:30:52,960 presenting results for live hosts. When running Nmap with root privileges on a local network, 287 00:30:52,960 --> 00:30:57,040 the S, P option kicks it up a notch, performing an ARP ping 288 00:30:57,040 --> 00:30:59,840 and returning the MAC addresses of the discovered systems. 289 00:31:05,920 --> 00:31:09,440 Performing a TCP SYN ping can be a handy alternative, 290 00:31:09,600 --> 00:31:15,360 especially when standard ICMP pings are blocked. Here's how to use the PS option in Nmap. 291 00:31:16,720 --> 00:31:19,680 Nmap, capital P, capital S, your target. 292 00:31:22,400 --> 00:31:28,080 The PS option initiates a TCP SYN ping by sending a SYN packet to the target system, 293 00:31:28,080 --> 00:31:32,160 and then listens for a response on the specified ports if you specified ports. 294 00:31:32,880 --> 00:31:38,640 This approach is particularly effective for systems configured to block standard ICMP pings. 295 00:31:38,640 --> 00:31:43,120 By default, if no specific ports are provided, the ping is sent to port 80. 296 00:31:43,759 --> 00:31:47,280 This method provides a reliable way to discover live hosts 297 00:31:47,280 --> 00:31:50,560 and assess network connectivity without relying on ICMP. 298 00:31:57,840 --> 00:32:00,320 Engaging in network discovery with Nmap, 299 00:32:00,320 --> 00:32:04,560 the P option lets you perform a TCP ACK ping on a specified target. 300 00:32:05,200 --> 00:32:06,240 Here's how to use it. 301 00:32:07,519 --> 00:32:10,399 Nmap, capital P, capital A, your target. 302 00:32:12,879 --> 00:32:18,799 When employed, the PA option prompts Nmap to dispatch TCP ACK packets to the specified hosts. 303 00:32:19,440 --> 00:32:24,159 This method is designed to discover hosts by responding to TCP connections that don't 304 00:32:24,159 --> 00:32:27,440 actually exist, aiming to elicit a response from the target. 305 00:32:28,079 --> 00:32:33,200 It proves particularly valuable in scenarios where standard ICMP pings are blocked, 306 00:32:33,200 --> 00:32:35,920 offering an alternative means of network exploration. 307 00:32:44,160 --> 00:32:46,480 For a different approach to network discovery, 308 00:32:46,480 --> 00:32:51,200 the PU option in Nmap allows you to perform a UDP ping on a target system. 309 00:32:51,920 --> 00:32:52,880 Here's how to use it. 310 00:32:54,160 --> 00:32:58,559 Nmap, capital P, capital U, ports that you want, then your target. 311 00:32:59,359 --> 00:33:04,879 When invoked, the PU option directs Nmap to dispatch UDP packets to the specified hosts, 312 00:33:04,879 --> 00:33:06,720 aiming to elicit a response. 313 00:33:07,359 --> 00:33:11,119 While many firewall systems are configured to block this type of connection, 314 00:33:11,119 --> 00:33:13,839 some poorly configured systems might allow it, 315 00:33:13,839 --> 00:33:17,759 especially if they are set up to filter TCP connections exclusively. 316 00:33:19,359 --> 00:33:22,240 By default, if no specific ports are provided, 317 00:33:22,240 --> 00:33:25,359 the UDP ping is sent to port 40.1.25. 318 00:33:25,360 --> 00:33:28,480 The UDP ping is sent to port 40.1.25. 319 00:33:29,200 --> 00:33:33,040 This method serves as an alternative means of network exploration, 320 00:33:33,040 --> 00:33:37,680 particularly useful in situations where TCP connections are filtered or blocked. 321 00:33:42,160 --> 00:33:44,720 Exploring network connectivity with Nmap, 322 00:33:44,720 --> 00:33:50,080 the PY parameter empowers you to execute an SCTP init ping on a specified target. 323 00:33:50,720 --> 00:33:52,000 Here's how to utilize it. 324 00:33:52,960 --> 00:33:57,519 Nmap, capital P, capital Y, ports that you want, then your target. 325 00:33:59,920 --> 00:34:02,000 When employing the PY option, 326 00:34:02,000 --> 00:34:06,559 Nmap endeavors to discover hosts using the stream control transmission protocol. 327 00:34:07,279 --> 00:34:11,360 SCTP is commonly employed on systems for IP-based telephony. 328 00:34:12,239 --> 00:34:15,119 By default, if no specific ports are provided, 329 00:34:15,119 --> 00:34:17,679 the SCTP init ping is sent to port 80. 330 00:34:18,320 --> 00:34:21,920 This method offers a unique approach to network exploration, 331 00:34:22,000 --> 00:34:25,840 particularly relevant in contexts where SCTP is used, 332 00:34:25,840 --> 00:34:28,159 such as in IP-based telephony systems. 333 00:34:32,000 --> 00:34:34,480 For a classic approach to network discovery, 334 00:34:34,480 --> 00:34:38,480 the PE option in Nmap enables you to execute an ICMP 335 00:34:38,480 --> 00:34:42,320 internet control message protocol echo ping on a specified system. 336 00:34:42,960 --> 00:34:43,920 Here's how to use it. 337 00:34:45,119 --> 00:34:48,400 Nmap, capital P, capital E, then your target. 338 00:34:48,880 --> 00:34:50,639 When you employ the PE option, 339 00:34:50,639 --> 00:34:54,720 Nmap sends a standard ICMP ping to the target to check if it replies. 340 00:34:55,519 --> 00:34:59,119 This type of discovery is particularly effective on local networks 341 00:34:59,119 --> 00:35:02,720 where ICMP packets can be transmitted with few restrictions. 342 00:35:03,200 --> 00:35:06,720 However, it's essential to note that many internet hosts are configured 343 00:35:06,720 --> 00:35:10,160 not to respond to ICMP packets for security reasons. 344 00:35:11,200 --> 00:35:14,800 It's worth mentioning that the PE option is automatically implied 345 00:35:15,600 --> 00:35:17,920 if no other ping options are specified. 346 00:35:18,560 --> 00:35:21,360 This ensures a straightforward ICMP echo ping 347 00:35:21,360 --> 00:35:24,320 when no other ping methods are explicitly chosen. 348 00:35:29,519 --> 00:35:31,360 In the realm of network exploration, 349 00:35:31,360 --> 00:35:35,440 the PP option in Nmap allows you to conduct an ICMP timestamp 350 00:35:35,440 --> 00:35:37,039 ping on a specified target. 351 00:35:37,600 --> 00:35:38,960 Here's how to utilize it. 352 00:35:40,000 --> 00:35:42,960 Nmap, capital P, capital E, then your target. 353 00:35:42,960 --> 00:35:44,720 When you invoke the PP option, 354 00:35:44,720 --> 00:35:47,519 Nmap engages in an ICMP timestamp ping. 355 00:35:48,240 --> 00:35:52,320 While many firewall systems are set up to block ICMP echo requests, 356 00:35:52,320 --> 00:35:57,360 some improperly configured systems might still respond to ICMP timestamp requests. 357 00:35:57,840 --> 00:36:00,400 This unique approach with PP proves valuable 358 00:36:00,400 --> 00:36:04,159 for attempting to solicit responses from targets behind firewalls. 359 00:36:04,720 --> 00:36:08,559 However, it's crucial to exercise caution and respect security policies 360 00:36:08,559 --> 00:36:10,559 in order to protect your firewalls. 361 00:36:11,199 --> 00:36:13,599 Delving into ICMP exploration, 362 00:36:13,599 --> 00:36:19,119 the PM option in Nmap enables an ICMP address mask ping on a specified target. 363 00:36:19,679 --> 00:36:20,880 Here's how to use it. 364 00:36:22,000 --> 00:36:25,360 Nmap, capital P, capital M, your target. 365 00:36:27,840 --> 00:36:31,679 This atypical ICMP query, akin to the PP option, 366 00:36:31,679 --> 00:36:34,320 endeavors to help you identify the IP address 367 00:36:34,320 --> 00:36:36,400 and the IP address of your target. 368 00:36:36,400 --> 00:36:40,160 This atypical ICMP query, akin to the PP option, 369 00:36:40,160 --> 00:36:44,320 endeavors to ping the specified host using alternative ICMP registers. 370 00:36:44,960 --> 00:36:47,680 The uniqueness of this type of ping lies in its ability 371 00:36:47,680 --> 00:36:52,079 to occasionally bypass firewalls configured to block standard echo requests. 372 00:36:56,639 --> 00:36:58,400 In the realm of network probing, 373 00:36:58,400 --> 00:37:03,760 the PO option in Nmap allows you to execute an IP protocol ping on a specified target. 374 00:37:04,400 --> 00:37:05,680 Here's how to utilize it. 375 00:37:07,200 --> 00:37:11,760 Nmap, capital P, capital O, protocols that you want, then your target. 376 00:37:15,200 --> 00:37:16,880 When you use the PO option, 377 00:37:16,880 --> 00:37:20,559 Nmap dispatches packets with the specified protocols to the target. 378 00:37:21,280 --> 00:37:23,920 If no protocols are explicitly specified, 379 00:37:23,920 --> 00:37:29,760 the default protocols 1ICMP, 2IGMP, and 4IP and IP are utilized. 380 00:37:30,559 --> 00:37:34,320 This approach provides a versatile means of probing a target system 381 00:37:34,320 --> 00:37:38,880 using different IP protocols, offering flexibility in network exploration. 382 00:37:43,280 --> 00:37:45,440 Engaging in local network discovery, 383 00:37:45,440 --> 00:37:49,519 the PR option in Nmap empowers you to execute an ARP 384 00:37:49,519 --> 00:37:52,880 or address resolution protocol ping on a specified target. 385 00:37:53,519 --> 00:37:54,800 Here's how to utilize it. 386 00:37:56,000 --> 00:37:58,960 Nmap, capital P, capital R, your target. 387 00:37:58,960 --> 00:38:02,880 The PR option is automatically implied when scanning the local network. 388 00:38:03,679 --> 00:38:08,639 This discovery method, based on an ARP, is notably faster than other ping methods 389 00:38:08,639 --> 00:38:13,599 and offers increased accuracy because LAN hosts can't block ARP requests, 390 00:38:13,599 --> 00:38:16,000 even if they are situated behind a firewall. 391 00:38:17,199 --> 00:38:21,599 It's important to note that ARP scans are restricted to targets within your local subnet. 392 00:38:22,320 --> 00:38:25,119 This method excels in local network scenarios, 393 00:38:25,119 --> 00:38:31,599 providing a swift and accurate means of identifying live hosts. 394 00:38:35,920 --> 00:38:38,400 Embarking on a journey of network exploration, 395 00:38:38,400 --> 00:38:43,519 the traceroute parameter in Nmap allows you to trace the network path to a specified host. 396 00:38:44,079 --> 00:38:45,359 Here's how to utilize it. 397 00:38:46,799 --> 00:38:48,639 Nmap, traceroute, your target. 398 00:38:49,119 --> 00:38:54,000 Executing this command provides information similar to the traceroute or trace path commands 399 00:38:54,000 --> 00:38:56,239 found on Unix and Linux systems. 400 00:38:56,799 --> 00:39:00,799 However, Nmap's tracing functionality surpasses these commands, 401 00:39:00,799 --> 00:39:04,159 offering additional benefits in terms of accuracy and features. 402 00:39:05,119 --> 00:39:09,119 Traceroute with Nmap proves to be a powerful tool for understanding the route 403 00:39:09,119 --> 00:39:11,920 that network packets take to reach a destination, 404 00:39:11,920 --> 00:39:15,359 aiding in network diagnostics and optimization efforts. 405 00:39:15,360 --> 00:39:20,400 Venturing into the realm of reconnaissance, the r parameter in Nmap empowers you to enforce 406 00:39:20,400 --> 00:39:23,920 reverse DNS resolution on a specified target IP address. 407 00:39:24,720 --> 00:39:25,920 Here's how to use it. 408 00:39:26,800 --> 00:39:29,039 Nmap, capital R, your target. 409 00:39:31,840 --> 00:39:37,360 By default, Nmap performs reverse DEMS resolution only for hosts that appear to be online. 410 00:39:38,079 --> 00:39:40,480 The IP address is the IP address of the host. 411 00:39:40,480 --> 00:39:44,400 Nmap performs reverse DEMS resolution only for hosts that appear to be online. 412 00:39:45,119 --> 00:39:50,159 The r option proves beneficial when conducting reconnaissance on a block of IP addresses 413 00:39:50,159 --> 00:39:55,199 as it prompts Nmap to attempt resolving the reverse DNS information for every IP address. 414 00:39:56,000 --> 00:39:59,840 This can unveil interesting details about the target IP address, 415 00:39:59,840 --> 00:40:02,719 even if it is offline or blocking Nmap's probes. 416 00:40:04,079 --> 00:40:09,760 However, it's important to note that the r option can significantly impact the performance of a scan, 417 00:40:09,760 --> 00:40:14,640 so it should be used judiciously based on the specific requirements of your reconnaissance efforts. 418 00:40:21,520 --> 00:40:26,400 In the quest for faster scan results, the n parameter in Nmap allows you to disable 419 00:40:26,400 --> 00:40:29,360 reverse DNS lookups. Here's how to use it. 420 00:40:30,800 --> 00:40:32,080 Nmap, n, your target. 421 00:40:34,480 --> 00:40:37,600 Enabling the n option proves to be a strategic choice, 422 00:40:37,599 --> 00:40:43,279 especially when scanning a large number of hosts, as reverse DNS resolution can significantly slow 423 00:40:43,279 --> 00:40:49,679 down the process. By opting for n, you prioritize scan speed over obtaining DNS information for the 424 00:40:49,679 --> 00:40:55,360 target system. This option is particularly useful in scenarios where you don't require 425 00:40:55,360 --> 00:41:00,880 detailed DNS information and prefer swift scan results. It's a practical choice for 426 00:41:00,880 --> 00:41:05,360 efficiency when the focus is primarily on the IP level details of the targets. 427 00:41:07,599 --> 00:41:15,679 Exploring alternative DNS lookup methods, the system DNS option in Nmap directs the tool to 428 00:41:15,679 --> 00:41:21,360 utilize the host system's DNS resolver rather than its internal method. Here's how to use it. 429 00:41:22,799 --> 00:41:24,960 Nmap, system DNS, your target. 430 00:41:27,519 --> 00:41:32,639 While this option is seldom used due to its slower performance compared to the default method, 431 00:41:32,639 --> 00:41:36,960 it can be valuable in scenarios where troubleshooting DNS problems with Nmap is 432 00:41:36,960 --> 00:41:42,720 necessary. It provides an alternative approach to DNS resolution, leveraging the host system's 433 00:41:42,720 --> 00:41:48,079 DNS resolver. It's important to note that the system resolver is automatically employed for 434 00:41:48,079 --> 00:41:54,960 IPv6 scans, as Nmap has not fully implemented its own internal IPv6 resolver at the time of 435 00:41:54,960 --> 00:42:04,159 this information update. In the pursuit of customizing DNS server usage, the DNS server's 436 00:42:04,159 --> 00:42:09,199 option in Nmap allows you to manually specify DNS servers to be queried during scanning. 437 00:42:09,759 --> 00:42:16,719 Here's how to use it. Nmap, DNS servers, server 1, server 2, etc. Then your target. 438 00:42:19,599 --> 00:42:25,119 By default, Nmap utilizes the DNS servers configured on your local system for name resolution. 439 00:42:25,759 --> 00:42:31,440 However, the DNS server's option empowers you to specify one or more alternative servers for Nmap 440 00:42:31,440 --> 00:42:37,039 to query. This proves useful in situations where DNS is not configured on the system, 441 00:42:37,039 --> 00:42:41,679 or if you wish to avoid having your scan lookups recorded in the log files of your locally 442 00:42:41,679 --> 00:42:47,920 configured DNS server. This option provides flexibility in tailoring the DNS resolution 443 00:42:47,920 --> 00:42:51,280 process according to your specific requirements during scanning. 444 00:42:53,440 --> 00:42:58,079 Now let's dive in advanced scanning with Nmap. In this exploration, we're not just sticking to 445 00:42:58,079 --> 00:43:03,519 the basics. Nmap opens up a plethora of possibilities with its user-selectable scan 446 00:43:03,519 --> 00:43:08,799 types, allowing you to tailor your scans to the unique challenges posed by each target system. 447 00:43:09,519 --> 00:43:14,639 By default, Nmap gracefully executes a basic TCP scan on every target, 448 00:43:14,639 --> 00:43:18,480 but the real adventure begins when we venture into more complex territories. 449 00:43:19,119 --> 00:43:24,559 Picture this. You need to unveil those elusive uncommon services or gracefully maneuver around 450 00:43:24,559 --> 00:43:29,920 a firewall. This is where the advanced scan types come to the rescue. Throughout this journey, 451 00:43:29,920 --> 00:43:34,559 we'll unravel the intricacies of these advanced scans, empowering you with the knowledge to 452 00:43:34,559 --> 00:43:40,799 navigate the diverse landscapes of network discovery. TCP or UDP, we've got you covered. 453 00:43:40,799 --> 00:43:43,599 It's like having a versatile toolkit at your disposal, 454 00:43:43,599 --> 00:43:47,199 each scan type a unique tool designed for specific challenges. 455 00:43:47,200 --> 00:43:56,800 Diving into the world of TCP SYN scans with Nmap. The SS option is your key to performing a TCP SYN 456 00:43:56,800 --> 00:44:04,080 scan, and here's how you wield it. Nmap S, capital S, your target. Now let's break it down. 457 00:44:04,640 --> 00:44:09,600 The TCP SYN scan, set as the default for privileged users, those running as root on 458 00:44:09,600 --> 00:44:16,000 Unix Linux or Administrator on Windows, is a strategic exploration tactic. This scan endeavors 459 00:44:16,000 --> 00:44:21,519 to pinpoint the 1,000 most commonly used TCP ports by delicately sending a SYN packet to the 460 00:44:21,519 --> 00:44:28,000 target and keenly listening for a response. What makes it stealthy, you ask? Well, this scan doesn't 461 00:44:28,000 --> 00:44:33,199 boldly attempt to establish a full-fledged connection with the remote host. It operates 462 00:44:33,199 --> 00:44:38,000 in the shadows, preventing many systems from logging a connection attempt from your scan, 463 00:44:38,000 --> 00:44:43,519 a truly ninja move in the world of network reconnaissance. But here's the reality check. 464 00:44:43,519 --> 00:44:49,199 Stealth isn't a guarantee. Modern packet capture programs and advanced firewalls have evolved to 465 00:44:49,199 --> 00:44:58,239 detect the subtle footprints of TCP SYN scans. Let's delve into the realm of TCP Connect scans 466 00:44:58,239 --> 00:45:04,400 with Nmap. The ST option is your gateway to performing a TCP Connect scan, and here's how 467 00:45:04,400 --> 00:45:13,440 you wield it. Nmap S, capital T, then your target. Now let's unravel the magic. The TCP Connect scan 468 00:45:13,440 --> 00:45:19,840 executed by default for non-privileged users and also used for IPv6 targets is a straightforward 469 00:45:19,840 --> 00:45:25,599 probe. It boldly attempts to establish a direct connection with the remote system, bypassing the 470 00:45:25,599 --> 00:45:32,079 stealthiness associated with other scan types. Here's a pro tip. While the TCP Connect scan is 471 00:45:32,079 --> 00:45:37,280 effective, it's generally advisable to execute Nmap with root privileges whenever possible. 472 00:45:37,840 --> 00:45:43,200 Why? Because with root privileges, Nmap opts for a TCP SYN scan SS, 473 00:45:43,200 --> 00:45:48,000 providing a more accurate listing of port states and significantly boosting scan speed. 474 00:45:51,600 --> 00:45:57,600 Embark on the journey of UDP exploration with Nmap. The SU option is your gateway to performing 475 00:45:57,600 --> 00:46:04,880 a UDP or user datagram protocol scan, and here's how you command it. Nmap S, capital U, your target. 476 00:46:05,200 --> 00:46:11,039 Now let's uncover the magic. This command gracefully unveils the results of a UDP scan. 477 00:46:11,039 --> 00:46:17,519 While TCP takes the limelight as the most commonly used protocol, numerous network services like DNS, 478 00:46:17,519 --> 00:46:24,160 DHCP, and SNMP rely on the agility of UDP. When you're on a network audit mission, it's a savvy 479 00:46:24,160 --> 00:46:29,920 move to check for both TCP and UDP services, ensuring you paint a comprehensive picture of 480 00:46:30,880 --> 00:46:37,440 the target host or network. UDP scans add a layer of depth to your exploration, 481 00:46:37,440 --> 00:46:42,480 capturing those services that might be operating in the subtle realms of the user datagram protocol. 482 00:46:46,400 --> 00:46:52,400 Venture into the realm of TCP null scans with Nmap. The SN option is your ticket to performing 483 00:46:52,400 --> 00:46:59,119 a TCP null scan, and here's how you orchestrate it. Nmap S, capital N, your target. 484 00:47:00,880 --> 00:47:07,680 Now let's unravel the intrigue. A TCP null scan, in its enigmatic glory, prompts Nmap to dispatch 485 00:47:07,680 --> 00:47:13,280 packets with no TCP flags enabled. It's like sending a message with a blank slate, setting 486 00:47:13,280 --> 00:47:19,119 the packet header to zero. Why, you ask. Well, this method is a crafty way to coax a response 487 00:47:19,119 --> 00:47:24,960 from a firewalled system. By sending null packets to the target, you're essentially playing a subtle 488 00:47:25,039 --> 00:47:30,079 game of trickery, seeking a response from systems that might otherwise remain guarded. 489 00:47:30,079 --> 00:47:34,079 It's a dance in the shadows of network reconnaissance, where not all systems 490 00:47:34,079 --> 00:47:39,519 choose to unveil their secrets in the face of such probing. As you embark on this TCP 491 00:47:39,519 --> 00:47:44,079 null scan adventure, remember that the art lies in the unexpected responses, 492 00:47:44,079 --> 00:47:48,079 the hidden revelations that may surface in the wake of this nuanced exploration. 493 00:47:48,719 --> 00:47:55,039 Dive into the world of TCP fin scans with Nmap. The SF option is your key to performing a TCP 494 00:47:55,039 --> 00:48:00,880 fin scan, and here's how you command it. Nmap S, capital F, your target. 495 00:48:02,719 --> 00:48:09,360 Now let's unravel the intrigue. In a TCP fin scan, Nmap sets the TCP fin bit active when 496 00:48:09,360 --> 00:48:14,960 dispatching packets, all in a cunning move to elicit a TCP act from the target system in question. 497 00:48:15,599 --> 00:48:19,199 It's a subtle dance, where the absence of a flag becomes a signal, 498 00:48:19,199 --> 00:48:25,360 seeking acknowledgement from the targeted system. Why employ such finesse? Well, it's yet another 499 00:48:25,360 --> 00:48:30,800 method in the arsenal of sending unexpected packets, a strategy aimed at unraveling information 500 00:48:30,800 --> 00:48:36,240 from systems shielded by firewalls. It's like tapping on the door with a nuanced rhythm, 501 00:48:36,240 --> 00:48:41,840 inviting responses that may reveal more than meets the eye. As with any covert exploration, 502 00:48:41,840 --> 00:48:45,440 not all systems will readily unveil their secrets in the face of such probing. 503 00:48:45,440 --> 00:48:52,400 The TCP fin scan adds an air of sophistication to your reconnaissance toolkit. 504 00:48:54,559 --> 00:48:58,880 Dive into the festive spirit of network, scanning with the XMIS scan using Nmap. 505 00:48:58,880 --> 00:49:05,440 Just remember to use the SX flag in your command. Nmap S, capital X, your target. 506 00:49:06,079 --> 00:49:13,360 Now, let's break it down. In the XMIS scan, Nmap sends packets with special ERG, fin, and PSH flags 507 00:49:13,360 --> 00:49:18,880 activated like lighting up a packet in the style of a Christmas tree. This unique combination of 508 00:49:18,880 --> 00:49:24,800 flags is designed to see if it can get a response from systems protected by firewalls. Imagine it 509 00:49:24,800 --> 00:49:29,679 as a playful holiday dance of flags, trying to get attention from the systems in a creative way. 510 00:49:30,079 --> 00:49:33,599 However, not every system will respond to this festive probing. 511 00:49:37,440 --> 00:49:44,000 Unveil the fortress walls. Utilize the TCP act scan with the SA option in Nmap to decipher if 512 00:49:44,000 --> 00:49:51,839 your target system is shielded by a firewall. Nmap S, capital A, your target. Here's the lowdown. 513 00:49:51,920 --> 00:49:57,680 With the TCP act scan, Nmap meticulously probes the target on the lookout for RST responses. 514 00:49:58,480 --> 00:50:04,960 No response received? That signals the system is filtered. If the system retorts with an RST packet, 515 00:50:04,960 --> 00:50:10,480 it earns the unfiltered badge. In discovering that there's a lack of responses on certain ports, 516 00:50:10,480 --> 00:50:16,640 considered filtered indicates the system is likely fortified by a firewall. The unfiltered ports may 517 00:50:17,039 --> 00:50:22,719 have their own special rules within the target's firewall architecture. Keep in mind, the SA option 518 00:50:22,719 --> 00:50:28,079 doesn't spill the beans on whether the unfiltered ports are open or closed. It's on a singular 519 00:50:28,079 --> 00:50:35,519 mission to unveil the port filtering status of the system. Unleash the power of customization 520 00:50:35,519 --> 00:50:43,039 with the Nmap scan flags option. This feature will allow you to access the system's firewall 521 00:50:43,519 --> 00:50:49,679 with the Nmap scan flags option. This feature allows you to craft a custom TCP scan tailored 522 00:50:49,679 --> 00:50:56,719 to your needs. Here's how you can command it. Nmap, scan flags, flag or flags, then your target. 523 00:50:57,759 --> 00:51:03,119 Let's decode it. With the scan flags option, you can define your scan by choosing from various 524 00:51:03,119 --> 00:51:09,199 TCP header flags. Picture it like assembling your own set of flags for the scan. Any of this 525 00:51:09,200 --> 00:51:13,680 combination of flags listed in this can be used with the scan flags option. 526 00:51:13,680 --> 00:51:18,880 So embrace the freedom to customize and create a scan that suits your specific requirements. 527 00:51:23,520 --> 00:51:27,600 Unravel the tapestry of supported IP protocols on your target system 528 00:51:27,600 --> 00:51:34,000 using the IP protocol scan with the SO option in Nmap. Nmap S, capital O, your target. 529 00:51:34,639 --> 00:51:40,239 Picture this. The IP protocol scan unveils the diverse protocols supported by the target system. 530 00:51:41,039 --> 00:51:48,239 ICMP, TCP, and UDP commonly stand as the pillars of modern networks. Armed with this knowledge, 531 00:51:48,239 --> 00:51:52,400 you can strategically plan your subsequent scans based on the detected protocols. 532 00:51:53,360 --> 00:51:57,920 For a comprehensive list of IP protocols, consult the IAN, a website. 533 00:51:57,920 --> 00:52:08,079 Unleash the power of raw Ethernet packets in your network exploration with the send 534 00:52:08,079 --> 00:52:17,280 F option in Nmap. Nmap, send ETH, then your target. Imagine this. By activating send ETH, 535 00:52:17,280 --> 00:52:22,400 Nmap ascends to the data link layer, sidestepping the traditional IP layer on your system. 536 00:52:23,200 --> 00:52:26,800 This strategic move empowers you to send raw Ethernet packets, 537 00:52:26,800 --> 00:52:30,480 offering a solution to potential issues with your system's IP stack. 538 00:52:31,039 --> 00:52:37,039 Embrace the potential of send ETH, a feature so potent that Nmap automatically incorporates it 539 00:52:37,039 --> 00:52:42,480 where needed, sparing you from the need to frequently specify it as a command line argument. 540 00:52:42,480 --> 00:52:47,600 Elevate your scanning game by delving into the realm of raw Ethernet packets with Nmap's send 541 00:52:47,599 --> 00:52:57,440 ETH option. Harness the flexibility of IP packets in your scanning endeavors with Nmap's send IP 542 00:52:57,440 --> 00:53:06,319 option. Nmap, send IP, your target. Here's the scoop. By activating send IP, Nmap seamlessly 543 00:53:06,319 --> 00:53:11,679 integrates with your local system's IP stack, utilizing IP packets for scanning purposes. 544 00:53:12,480 --> 00:53:17,039 This choice provides an alternative approach compared to the use of raw Ethernet packets. 545 00:53:17,599 --> 00:53:23,119 Noteworthy is the fact that the send IP option is automatically invoked by Nmap when required, 546 00:53:23,119 --> 00:53:27,039 sparing you the need to frequently specify it as a command line argument. 547 00:53:28,719 --> 00:53:34,000 Now let embark on a journey into the realm of operating system and service detection with Nmap, 548 00:53:34,000 --> 00:53:39,119 where its prowess shines in uncovering the mysteries of remote systems. Nmap boasts a 549 00:53:39,119 --> 00:53:44,239 remarkable feature that sets it apart the ability to discern operating systems and services on 550 00:53:44,240 --> 00:53:49,600 target machines. This capability delves into the responses received during scans, 551 00:53:49,600 --> 00:53:54,800 aiming to pinpoint the host's operating system and the services it hosts. At the heart of this 552 00:53:54,800 --> 00:54:00,720 capability lies TCP-IP fingerprinting, a process that endeavors to identify the fingerprint left 553 00:54:00,720 --> 00:54:06,240 by a target's operating system and software versions. While not in exact science, Nmap 554 00:54:06,240 --> 00:54:10,640 developers have meticulously crafted this feature to be both accurate and reliable. 555 00:54:11,199 --> 00:54:16,319 As with many of Nmap's powerful features, the art of version detection is at your command, 556 00:54:16,319 --> 00:54:20,239 offering precise control through an array of arguments explored in this section. 557 00:54:24,239 --> 00:54:29,119 Embark on the quest of uncovering the elusive operating system, running on remote targets 558 00:54:29,119 --> 00:54:34,159 with Nmap's operating system detection capability. To unleash this feature, 559 00:54:34,159 --> 00:54:39,440 wield the O parameter in your Nmap command. Nmap, capital O, then your target. 560 00:54:41,119 --> 00:54:45,920 Witness the magic as Nmap endeavors to identify the operating system on the remote target. 561 00:54:46,719 --> 00:54:52,400 Operating system detection is a crafty process, analyzing responses from the target to unveil 562 00:54:52,400 --> 00:54:57,440 specific characteristics that hint at the OS type. For the sleuthing to be effective, 563 00:54:57,440 --> 00:55:01,359 ensure there is at least one open and one closed port on the target system. 564 00:55:01,920 --> 00:55:07,279 When scanning multiple targets, you can utilize the OS scan limit option combined with O, 565 00:55:07,280 --> 00:55:11,440 directing Nmap to skip OS scanning for hosts that don't meet this criterion. 566 00:55:12,000 --> 00:55:15,440 For a more in-depth exploration, couple the V option with O, 567 00:55:15,440 --> 00:55:19,600 revealing additional information that Nmap uncovers about the remote system. 568 00:55:24,800 --> 00:55:28,800 In instances where Nmap struggles to pinpoint the OS accurately, 569 00:55:28,800 --> 00:55:35,600 take charge and force a guess with the OS scan guess option. Nmap, capital O, OS scan guess, 570 00:55:35,599 --> 00:55:42,400 then your target. Behold a list of potential OS matches, each accompanied by a percentage 571 00:55:42,400 --> 00:55:47,519 indicating Nmap's confidence in the proposed match. For those who prefer brevity, 572 00:55:47,519 --> 00:55:52,960 the fuzzy option stands as a synonym, serving as a convenient shortcut for the OS scan guess feature. 573 00:55:56,719 --> 00:56:02,079 Delve into the heart of Nmap's capabilities with the SV parameter, unveiling the intricacies of 574 00:56:02,079 --> 00:56:06,880 service version detection. Nmap S, capital V, then your target. 575 00:56:08,319 --> 00:56:13,440 Witness the magic as Nmap endeavors to unravel the identity of the vendor and software version 576 00:56:13,440 --> 00:56:19,199 for each open port it encounters. The scan results unveil a tapestry of information, 577 00:56:19,199 --> 00:56:24,719 showcasing the software vendor and version numbers for services that Nmap successfully identifies. 578 00:56:25,440 --> 00:56:30,000 For those yearning for deeper insights, the version trace option serves as a beacon of 579 00:56:30,000 --> 00:56:34,800 enlightenment. Enable it to immerse yourself in verbose version scan activity. 580 00:56:35,599 --> 00:56:42,719 Nmap S, capital V, version trace, your target. Version trace acts as your guiding companion, 581 00:56:42,719 --> 00:56:47,519 shedding light on the intricate details of version scan activity. Whether you seek to 582 00:56:47,519 --> 00:56:51,679 debug problems or yearn for additional insights about the target system, 583 00:56:51,679 --> 00:56:54,800 this option stands ready to assist you on your Nmap journey. 584 00:56:55,600 --> 00:57:00,640 Let's explore the intricacies of Nmap's timing options, a set of versatile tools that allow you 585 00:57:00,640 --> 00:57:06,000 to fine-tune the speed of your scans based on specific requirements. Whether you're navigating 586 00:57:06,000 --> 00:57:11,280 a high-speed local network with numerous hosts or carefully scanning slower networks or the 587 00:57:11,280 --> 00:57:16,160 vast expanse of the internet, these timing options provide the flexibility you need. 588 00:57:20,080 --> 00:57:24,080 Nmap's timing parameters are versatile and can be explained by the 589 00:57:24,159 --> 00:57:30,000 and can be expressed in milliseconds by default. Additionally, you have the flexibility to specify 590 00:57:30,000 --> 00:57:35,279 timing parameters in seconds, minutes, or hours by appending a qualifier to the time argument. 591 00:57:36,079 --> 00:57:41,599 Here's an example showcasing the usage of timing parameters. Milliseconds, or the default one. 592 00:57:42,239 --> 00:57:52,799 Nmap T4, then your target. Seconds. Nmap T4S, then your target. Minutes. Nmap T4M, then your target. 593 00:57:53,600 --> 00:58:00,960 Hours. Nmap T4H, your target. This flexibility and timing parameters empowers you to tailor 594 00:58:00,960 --> 00:58:05,680 Nmap scans to your specific requirements, adapting to the varied landscapes of 595 00:58:05,680 --> 00:58:14,320 network reconnaissance with precision and control. The T parameter serves as a powerful tool to 596 00:58:14,400 --> 00:58:20,080 designate a timing template for your Nmap scan. Nmap T, zero to five, your target. 597 00:58:22,240 --> 00:58:27,280 Timing templates offer convenient shortcuts for adjusting the timing options during a scan, 598 00:58:27,280 --> 00:58:33,039 striking a balance between speed and stealth. You can choose from six templates, numbered zero to 599 00:58:33,039 --> 00:58:38,559 five, each tailored for specific purposes. The following table provides an overview of 600 00:58:38,559 --> 00:58:44,480 each timing template. Empower your Nmap scans with the flexibility of timing templates, 601 00:58:44,480 --> 00:58:49,279 allowing you to adapt your reconnaissance strategy to the specific requirements of your scanning 602 00:58:49,279 --> 00:58:59,199 environment. Fine-tune the parallelism of your Nmap scans with the min parallelism 603 00:58:59,199 --> 00:59:05,599 and max parallelism options. Nmap, min parallelism, number that you want, then your target. 604 00:59:05,599 --> 00:59:12,719 The min parallelism option allows you to specify the minimum number of parallel port scan operations 605 00:59:12,719 --> 00:59:18,799 that Nmap should execute simultaneously. Nmap usually adjusts this value dynamically based on 606 00:59:18,799 --> 00:59:24,799 network conditions, but you can set a custom value if needed. For instance, this command ensures that 607 00:59:24,799 --> 00:59:30,639 at least 100 parallel operations are performed at any given time. While tweaking this parameter may 608 00:59:30,639 --> 00:59:37,519 enhance scan performance, setting it too high could lead to inaccurate results. Nmap, max parallelism, 609 00:59:37,519 --> 00:59:45,039 number that you want, then your target. Conversely, the max parallelism option lets you control the 610 00:59:45,039 --> 00:59:51,679 maximum number of parallel port scan operations executed by Nmap simultaneously. For example, 611 00:59:51,679 --> 00:59:58,559 the command Nmap, max parallelism, one, your target, restricts Nmap to perform only one operation at a 612 00:59:58,559 --> 01:00:03,840 time. Although this slows down the scan considerably, it minimizes the risk of overwhelming 613 01:00:03,840 --> 01:00:09,119 the target system with a flood of packets. Adjusting these parameters provides flexibility 614 01:00:09,119 --> 01:00:13,759 in adapting Nmap scans to various network conditions and target sensitivities. 615 01:00:18,400 --> 01:00:24,000 Refine your Nmap scans with the min host group and max host group options to control the parallelism 616 01:00:24,000 --> 01:00:31,760 of host groups. Nmap, min host group number, then your targets. The min host group option allows you 617 01:00:31,760 --> 01:00:36,960 to set the minimum number of targets that Nmap should scan in parallel. When scanning multiple 618 01:00:36,960 --> 01:00:42,960 targets, such as a range or entire subnet, Nmap organizes the scans into groups for efficiency. 619 01:00:43,519 --> 01:00:49,360 By default, Nmap dynamically adjusts these group sizes based on the scan type and network conditions. 620 01:00:49,920 --> 01:00:55,360 However, specifying the min host group option ensures that Nmap aims to keep the group sizes 621 01:00:55,360 --> 01:01:02,480 at the specified number. Nmap, max host group number, your targets. On the other hand, 622 01:01:02,480 --> 01:01:07,840 the max host group option enables you to specify the maximum number of targets Nmap should scan 623 01:01:07,840 --> 01:01:13,519 in parallel within a group. This option proves useful for controlling network load or avoiding 624 01:01:13,519 --> 01:01:19,360 detection by network security products. By setting an appropriate maximum host group size, 625 01:01:19,360 --> 01:01:24,800 you can fine-tune your scans to align with specific network conditions and security considerations. 626 01:01:28,880 --> 01:01:34,639 Fine-tune your Nmap scans with the initial RTT timeout and max RTT timeout options to 627 01:01:34,639 --> 01:01:41,199 control round trip time behavior. Nmap, initial RTT timeout, time you want, then your target. 628 01:01:41,760 --> 01:01:47,200 The initial RTT timeout option governs the initial round trip time RTT timeout value 629 01:01:47,200 --> 01:01:54,960 utilized by Nmap. The default timing template T3 sets an initial RTT timeout of 1000 milliseconds. 630 01:01:54,960 --> 01:02:00,160 Adjusting this value allows you to reduce packet retransmissions due to timeouts and potentially 631 01:02:00,160 --> 01:02:06,320 speed up scans. However, exercise caution when decreasing the value too much as it may lead to 632 01:02:06,880 --> 01:02:13,600 inaccurate results. Nmap, max RTT timeout, time that you want, then your target. 633 01:02:15,840 --> 01:02:21,440 On the other hand, the max RTT timeout option lets you specify the maximum RTT timeout for 634 01:02:21,440 --> 01:02:28,320 a packet response. By default, Nmap dynamically adjusts RTT timeout options for optimal results 635 01:02:28,320 --> 01:02:34,880 with a default maximum RTT timeout of 10 seconds. Manually setting the maximum RTT timeout lower 636 01:02:34,880 --> 01:02:41,440 can accelerate scan times, especially on fast and reliable networks. Conversely, a higher maximum 637 01:02:41,440 --> 01:02:47,280 RTT timeout prevents Nmap from prematurely giving up on slow or unreliable connections. 638 01:02:47,280 --> 01:02:52,320 Choose values judiciously, typically between 100 milliseconds for fast networks 639 01:02:52,320 --> 01:02:56,160 and 10,000 milliseconds for slower or less reliable connections. 640 01:02:57,119 --> 01:03:01,920 Fine-tune your Nmap scans with the max retries option, allowing you to control the maximum 641 01:03:01,920 --> 01:03:07,920 number of probe retransmissions. Nmap, max retries, number that you want, then your target. 642 01:03:09,920 --> 01:03:14,960 The max retries option empowers you to govern the maximum number of probe retransmissions that Nmap 643 01:03:14,960 --> 01:03:20,879 will attempt. Typically, Nmap dynamically adjusts the number of probe retransmissions based on 644 01:03:21,360 --> 01:03:26,640 network conditions. However, this option offers manual control, useful for overriding default 645 01:03:26,640 --> 01:03:32,400 settings or troubleshooting connectivity issues. Adjusting the number of retries can impact scan 646 01:03:32,400 --> 01:03:38,400 duration and accuracy. Setting a higher value increases the time it takes for a scan to complete, 647 01:03:38,400 --> 01:03:44,480 but may yield more accurate results. Conversely, lowering the max retries speeds up the scan, 648 01:03:44,480 --> 01:03:47,920 but may risk incomplete results if Nmap abandones the scan. 649 01:03:51,599 --> 01:03:57,039 Swiftly, strike a balance based on your priorities and the specific conditions of your scanning 650 01:03:57,039 --> 01:04:07,599 environment. Tailor your Nmap scan to specific network conditions with the TTL option, 651 01:04:07,599 --> 01:04:13,360 allowing you to set the time to live for the packets in milliseconds. Nmap, TTL time, 652 01:04:13,360 --> 01:04:20,160 then your target. The TTL option empowers you to define the TTL value in milliseconds 653 01:04:20,159 --> 01:04:25,199 for the packets sent during the scan. This becomes particularly valuable when scanning 654 01:04:25,199 --> 01:04:30,480 targets on slower connections, where conventional packets might expire before receiving a response. 655 01:04:31,279 --> 01:04:34,799 Fine-tune the TTL to optimize your scan's effectiveness, 656 01:04:34,799 --> 01:04:39,119 ensuring that it aligns with the characteristics of the network environment you are probing. 657 01:04:43,359 --> 01:04:47,279 Streamline your Nmap scans by utilizing the host timeout option, 658 01:04:47,280 --> 01:04:51,519 designed to manage slow or unresponsive hosts during the scanning process. 659 01:04:52,560 --> 01:04:56,000 Nmap, host timeout, time that you want, then your target. 660 01:04:58,000 --> 01:05:02,640 When scanning across networks with varying speeds or encountering systems protected by 661 01:05:02,640 --> 01:05:07,040 rate-limiting firewalls, some hosts may take an extended period to respond. 662 01:05:07,680 --> 01:05:11,600 The host timeout option empowers you to set a specific time interval, 663 01:05:11,600 --> 01:05:15,680 after which Nmap will gracefully terminate the scan for that particular host 664 01:05:15,760 --> 01:05:21,200 if it fails to complete within the specified duration. This proves invaluable when conducting 665 01:05:21,200 --> 01:05:26,560 scans across wide area networks or internet connections, allowing you to maintain efficient 666 01:05:26,560 --> 01:05:32,560 scan operations. Notably, Nmap's parallel operations enable it to continue scanning other 667 01:05:32,560 --> 01:05:38,880 hosts, even if one is experiencing delays. This mitigates potential bottlenecks caused by slow 668 01:05:38,880 --> 01:05:44,640 or unresponsive hosts. If a host surpasses the defined timeout with the host timeout option, 669 01:05:44,639 --> 01:05:49,519 Nmap will not display results for that host, regardless of any discovered open ports. 670 01:05:54,719 --> 01:05:59,039 Fine-tune your Nmap scans with precision using the scan delay option, 671 01:05:59,039 --> 01:06:02,159 allowing you to introduce deliberate pauses between probes. 672 01:06:02,960 --> 01:06:06,319 Nmap, scan delay, time that you want, then your target. 673 01:06:08,319 --> 01:06:12,319 Certain systems implement rate-limiting measures that can impact the effectiveness 674 01:06:12,320 --> 01:06:18,559 of Nmap scans. Nmap, by default, dynamically adjusts the scan delay on systems where rate 675 01:06:18,559 --> 01:06:23,920 limiting is detected. However, for scenarios where you have specific knowledge of rate limiting 676 01:06:23,920 --> 01:06:29,120 or the presence of intrusion detection systems, the scan delay option enables you to define 677 01:06:29,120 --> 01:06:33,519 a custom time interval between probes, ensuring optimal scanning performance. 678 01:06:34,240 --> 01:06:39,920 To set a maximum threshold for the time between probes, the max scan delay option comes into play. 679 01:06:40,720 --> 01:06:44,559 Nmap, max scan delay, time that you want, then your target. 680 01:06:46,720 --> 01:06:50,480 While the max scan delay option can potentially accelerate your scan, 681 01:06:50,480 --> 01:06:55,680 it introduces a trade-off between speed and result accuracy, along with an increased load 682 01:06:55,680 --> 01:07:00,720 on the network. Carefully consider the balance based on your specific scanning requirements 683 01:07:00,720 --> 01:07:01,840 and network conditions. 684 01:07:07,040 --> 01:07:12,400 Control the pace of your Nmap scans with precision using the min rate and max rate options, 685 01:07:12,400 --> 01:07:15,760 allowing you to tailor the packet rate based on your specific needs. 686 01:07:16,560 --> 01:07:19,040 Nmap, min rate number, then your target. 687 01:07:21,680 --> 01:07:27,440 By default, Nmap dynamically adjusts the packet rate during a scan to adapt to network conditions. 688 01:07:28,000 --> 01:07:32,400 However, there are scenarios where you might want to enforce your own minimum packet rate, 689 01:07:32,400 --> 01:07:37,599 although this is generally not recommended. For instance, using min rate 30 in the example 690 01:07:37,599 --> 01:07:42,880 above instructs Nmap to send a minimum of 30 packets per second, but the actual rate may 691 01:07:42,880 --> 01:07:47,920 be faster depending on network conditions. Caution should be exercised when setting 692 01:07:47,920 --> 01:07:53,440 min rate too high, as it may compromise the accuracy of the scan. To cap the packet rate, 693 01:07:53,440 --> 01:07:59,599 the max rate option comes into play. Nmap, max rate number that you want, then your target. 694 01:08:02,159 --> 01:08:08,000 In this command, specifying max rate 30 ensures that Nmap does not send more than 30 packets per 695 01:08:08,000 --> 01:08:14,240 second. This deliberate throttling can significantly slow down the scan, a tactic useful for avoiding 696 01:08:14,240 --> 01:08:20,720 intrusion detection systems or targets implementing rate limiting. For an exceptionally discrete scan, 697 01:08:20,720 --> 01:08:26,720 consider using max rate 0.1, instructing Nmap to send one packet every 10 seconds. 698 01:08:27,440 --> 01:08:31,199 This method adds an extra layer of subtlety to your scanning strategy. 699 01:08:36,880 --> 01:08:42,400 Overcome obstacles posed by targets employing rate limits on RSD or reset packets 700 01:08:42,400 --> 01:08:48,880 using the defeat RSD rate limit option in Nmap. Nmap, defeat RSD rate limit, your target. 701 01:08:51,119 --> 01:08:55,360 Targets that implement rate limiting on RSD packets can slow down your scans. 702 01:08:55,920 --> 01:09:00,000 The defeat RSD rate limit option is designed to counter this restriction, 703 01:09:00,000 --> 01:09:05,360 potentially accelerating your scans. However, it's crucial to note that using this option may 704 01:09:05,360 --> 01:09:12,480 result in less accurate results, and is therefore employed sparingly. In practice, Nmap is adept at 705 01:09:12,480 --> 01:09:18,400 detecting hosts implementing rate limiting on its own, often making the defeat RSD rate limit option 706 01:09:18,399 --> 01:09:24,799 unnecessary. As a result, it sees infrequent use, as Nmap typically adjusts itself automatically 707 01:09:24,799 --> 01:09:31,679 to navigate such network constraints. Navigating Firewalls with Nmap 708 01:09:32,239 --> 01:09:37,439 Firewalls and intrusion prevention systems are formidable barriers against tools like Nmap, 709 01:09:37,439 --> 01:09:42,960 striving to thwart accurate reconnaissance of protected systems. To counter these defenses, 710 01:09:42,960 --> 01:09:45,520 Nmap incorporates several evasion techniques. 711 01:09:46,239 --> 01:09:50,239 This section delves into the various evasion strategies embedded in Nmap. 712 01:09:55,119 --> 01:10:00,880 To customize the Maximum Transmission Unit, or MTU, and potentially confuse firewalls, 713 01:10:00,880 --> 01:10:07,199 you can utilize the MTU option in Nmap. Nmap, MTU, number that you want, then your target. 714 01:10:08,159 --> 01:10:14,239 Similar to the F option, MTU allows you to set your own MTU for scanning. The provided example, 715 01:10:14,239 --> 01:10:21,279 MTU 16, instructs Nmap to use tiny 16-byte packets during the scan. It's important to note that the 716 01:10:21,279 --> 01:10:29,039 MTU value must be a multiple of 8 like 8, 16, 24, 32, etc. For effective transmission of fragmented 717 01:10:29,039 --> 01:10:34,000 packets, some host operating systems may require combining Send If with MTU. 718 01:10:37,599 --> 01:10:44,159 The D option in Nmap provides a means to enhance your anonymity during scanning by incorporating 719 01:10:44,159 --> 01:10:52,479 one or more decoy addresses. Nmap, D, decoy 1, decoy 2, etc. or RND, numbers that you want, 720 01:10:52,479 --> 01:11:00,800 then your target. In a decoy scan, Nmap sends spoofed packets from the specified decoy addresses, 721 01:11:00,800 --> 01:11:04,720 making it appear as if multiple systems are scanning the target concurrently. 722 01:11:05,440 --> 01:11:10,640 This helps the true source of the scan blend into a multitude, making it more challenging to trace. 723 01:11:11,440 --> 01:11:18,880 In the example, Nmap, D, RND, 5 directs Nmap to generate 5 random decoys. Alternatively, 724 01:11:18,880 --> 01:11:26,079 you can manually specify decoy addresses like this. Nmap, D, decoy 1, decoy 2, decoy 3, etc. 725 01:11:27,360 --> 01:11:31,840 It's essential to note that excessive use of decoys can lead to network congestion 726 01:11:31,840 --> 01:11:37,119 and diminish the effectiveness of the scan. Some internet service providers may also filter 727 01:11:37,119 --> 01:11:42,640 spoofed traffic, reducing the overall effectiveness of decoys in concealing your scanning activity. 728 01:11:46,800 --> 01:11:51,920 The SI option in Nmap introduces an intriguing technique known as the idle zombie scan. 729 01:11:52,880 --> 01:11:56,319 Nmap, S, capital I, zombie host, then your target. 730 01:11:56,960 --> 01:12:02,639 This unique scanning method leverages an idle system, turning it into a zombie to conduct scans 731 01:12:02,639 --> 01:12:09,679 on a target system. In the example, 10.022 acts as the zombie. The scan capitalizes on the predictable 732 01:12:09,679 --> 01:12:16,559 IP sequence ID generation found in some systems. For a successful idle scan, the zombie system must 733 01:12:16,559 --> 01:12:22,319 genuinely be idle during the scanning process. Notably, no probe packets are sent directly from 734 01:12:22,319 --> 01:12:29,679 your system to the target. However, an initial ping packet is dispatched to the target, unless 735 01:12:29,679 --> 01:12:35,920 you combine PN with SI to skip the initial ping. This intricate method exploits system behavior to 736 01:12:35,920 --> 01:12:41,679 discreetly gather information without direct interaction. For additional details and in-depth 737 01:12:41,679 --> 01:12:46,479 information regarding the idle zombie scan technique, you can explore the dedicated page 738 01:12:46,480 --> 01:12:52,640 on the Nmap website, Nmap Idle Scan. This resource provides comprehensive insights, 739 01:12:52,640 --> 01:12:56,720 explanations, and guidance on implementing the idle zombie scan effectively. 740 01:12:57,360 --> 01:13:01,600 Delve into the details to enhance your understanding of this unique scanning approach 741 01:13:01,600 --> 01:13:11,920 and its applications. To manually specify the source port number of a probe in Nmap, 742 01:13:11,920 --> 01:13:17,279 you can use the Source Port option. This option allows you to set a specific port number as the 743 01:13:17,279 --> 01:13:23,520 source for all packets in the scan. By default, Nmap randomly selects an available outgoing source 744 01:13:23,520 --> 01:13:29,279 port. However, using Source Port enables you to exploit potential weaknesses in firewalls that 745 01:13:29,279 --> 01:13:34,800 improperly accept incoming traffic based on a specific port number. Commonly susceptible 746 01:13:34,800 --> 01:13:42,800 ports include 20 or FTP, 53 or DNS, and 67 or DHCP. Here's an example of using the Source 747 01:13:42,800 --> 01:13:47,680 Port option. Nmap, Source Port, port that you want, then your target. 748 01:13:51,840 --> 01:13:55,119 Additionally, the G option is a synonym for Source Port, 749 01:13:55,119 --> 01:13:58,159 providing a convenient shortcut for the same functionality. 750 01:14:05,119 --> 01:14:11,279 To append random data to probe packets in Nmap, you can use the Data Length option. This option 751 01:14:11,279 --> 01:14:16,400 adds a specified amount of additional data to the probes, helping to circumvent firewall checks 752 01:14:16,400 --> 01:14:22,159 that may be looking for predictable packet sizes. Here's an example of using the Data Length option. 753 01:14:22,800 --> 01:14:28,800 Nmap, Data Length, number, then your target. Replace number with the desired amount of 754 01:14:28,800 --> 01:14:32,960 additional data to be appended, and target with the target system or network. 755 01:14:33,840 --> 01:14:38,800 In the provided example, 25 additional bytes are added to all packets sent to the target. 756 01:14:39,439 --> 01:14:41,920 Adjust the value based on your specific needs. 757 01:14:46,880 --> 01:14:50,399 To randomize the scanning order of specified targets in Nmap, 758 01:14:50,399 --> 01:14:55,920 you can use the Randomize Hosts option. This helps prevent scans from being easily detected 759 01:14:55,920 --> 01:15:01,279 by firewalls and intrusion detection systems, as the targets are scanned in a random order 760 01:15:01,279 --> 01:15:06,000 rather than sequentially. Here's an example of using the Randomize Hosts option. 761 01:15:06,639 --> 01:15:12,639 Nmap, Randomize Hosts, targets. By randomizing the scan order, 762 01:15:12,639 --> 01:15:16,079 you add an additional layer of evasion to your scanning activities. 763 01:15:16,639 --> 01:15:20,079 Adjust the command based on your specific requirements and targets. 764 01:15:20,800 --> 01:15:25,519 To spoof the MAC or Media Access control address of an Ethernet device in Nmap, 765 01:15:25,519 --> 01:15:30,800 you can use the Spoof MAC option. This can help make your scanning activity more difficult to 766 01:15:30,800 --> 01:15:35,039 trace by preventing your actual MAC address from being logged on the target system. 767 01:15:35,680 --> 01:15:42,640 Here's an example of using the Spoof MAC option. Nmap, Spoof MAC, vendor, or MAC, or zero, 768 01:15:42,640 --> 01:15:48,559 then your target. Here's an example of using the Spoof MAC option. Nmap, Spoof MAC, vendor, or MAC, 769 01:15:49,200 --> 01:15:55,200 then your target. Replace vendor, MAC, or zero with one of the following parameters. 770 01:15:56,000 --> 01:16:02,800 Zero, generates a random MAC address. Specific MAC address, use the specified MAC address. 771 01:16:03,680 --> 01:16:08,640 Vendor name, generates a MAC address from the specified vendors such as Apple, Dell, 772 01:16:08,720 --> 01:16:15,440 3Com, etc. For example, Nmap, Spoof MAC, zero, then your target. 773 01:16:17,200 --> 01:16:21,920 This command instructs Nmap to generate a random MAC address for the scanning activity. 774 01:16:22,480 --> 01:16:25,920 Adjust the command based on your specific requirements and targets. 775 01:16:29,920 --> 01:16:35,119 The Badsum option in Nmap is used to send packets with incorrect checksums to the specified host. 776 01:16:35,840 --> 01:16:41,439 This can be utilized as a technique to potentially elicit a response from a poorly configured system 777 01:16:41,439 --> 01:16:46,800 or as part of network security audits. Here's an example command using the Badsum option. 778 01:16:47,519 --> 01:16:54,960 Nmap, Badsum, then your target. In this example, Nmap will send packets with incorrect checksums to 779 01:16:54,960 --> 01:17:00,640 the specified target. However, keep in mind that well-configured systems typically won't respond 780 01:17:00,640 --> 01:17:06,079 to packets with bad checksums. This option is mainly used for specific situations where 781 01:17:06,079 --> 01:17:10,160 you are auditing network security or testing against certain configurations. 782 01:17:14,160 --> 01:17:20,480 Nmap Script Engine. The Nmap Scripting Engine NSE is a powerful tool that allows users to develop 783 01:17:20,480 --> 01:17:26,400 custom scripts which can be used to harness Nmap's advanced scanning functions. In addition to the 784 01:17:26,400 --> 01:17:31,120 ability to write your own custom scripts, there are also a number of standard built-in scripts 785 01:17:31,120 --> 01:17:35,760 that offer some interesting features such as vulnerability detection and exploitation. 786 01:17:42,880 --> 01:17:48,560 To work some magic with NSE scripts, just use the Script option. It's like casting a spell 787 01:17:48,560 --> 01:17:53,920 to reveal hidden secrets. Nmap, Script, Script you want to run, then your target. 788 01:17:54,399 --> 01:17:59,039 For example, for instant you want to get information from Whois records. Retrieving Whois 789 01:17:59,039 --> 01:18:04,640 records can provide valuable information including the registrar organization name, creation and 790 01:18:04,640 --> 01:18:11,279 expiration dates, geographical location, and abuse contact details. Nmap facilitates batch 791 01:18:11,279 --> 01:18:17,279 processing of Whois records for IP addresses or domain names. The following command demonstrates 792 01:18:17,599 --> 01:18:25,679 how to use Nmap for this purpose. Nmap sn script Whois dash asterisk then your target. 793 01:18:36,159 --> 01:18:42,639 Let's breaking down the command. sn will skips the port scanning phase. Script Whois 794 01:18:42,720 --> 01:18:48,720 will executes NSE scripts matching the file name pattern Whois. Two scripts match this pattern. 795 01:18:49,520 --> 01:18:57,360 Whois IP queries a regional internet Whois database and Whois domain. Obtaining referral 796 01:18:57,360 --> 01:19:03,600 records until the requested information is found. Executing this command will provide Whois information 797 01:19:03,600 --> 01:19:09,600 for the specified target. It's a convenient way to gather comprehensive details about IP addresses 798 01:19:09,600 --> 01:19:15,440 or domains in a batch fashion. Let me give you another example to obtain trace route geolocation 799 01:19:15,440 --> 01:19:21,200 information. To obtain trace route geolocation information using Nmap, you can utilize the 800 01:19:21,200 --> 01:19:28,320 trace route geolocation NSE script. The following command demonstrates how to achieve this. Nmap 801 01:19:28,320 --> 01:19:35,520 trace route script trace route geolocation then your target. Let's breaking down the command. 802 01:19:36,320 --> 01:19:42,560 Trace route will initiate a trace route to the specified target and script trace route geolocation 803 01:19:42,560 --> 01:19:48,320 will execute the trace route geolocation NSE script. The script will display geolocation 804 01:19:48,320 --> 01:19:53,600 coordinates for each hop in the trace route results. It relies on an external service from 805 01:19:53,600 --> 01:20:01,120 HTTP www.gplugin.com, doesn't require an API key, and has no query limitations. Additionally, 806 01:20:01,119 --> 01:20:06,559 you can save the results in KML format for later visualization on Google Maps or Google Earth. 807 01:20:08,079 --> 01:20:13,119 You might want to explore the Nmap script engine scripts available on this website for additional 808 01:20:13,119 --> 01:20:18,640 functionalities. It's a great resource to enhance your understanding and usage of Nmap. 809 01:20:18,640 --> 01:20:23,039 Uncover a rich tapestry of possibilities that will not only broaden your understanding, 810 01:20:23,039 --> 01:20:28,640 but also elevate your proficiency with Nmap to new heights. This resource offers a diverse 811 01:20:28,640 --> 01:20:33,840 range of scripts, each serving as a gateway to enhanced functionality and a deeper exploration 812 01:20:33,840 --> 01:20:39,360 of the capabilities that Nmap has to offer. Whether you're a seasoned user or just starting, 813 01:20:39,360 --> 01:20:46,160 this repository is a treasure trove waiting to be explored. Output options in Nmap. Ah, 814 01:20:46,160 --> 01:20:52,560 behold the myriad ways to record the echoes of your digital expeditions. Nmap, the oracle of networks, 815 01:20:52,560 --> 01:20:56,400 offers you several enchanted scrolls to transcribe your scan revelations. 816 01:20:57,040 --> 01:21:03,440 Let's explore these mystical output options. When Nmap unveils its findings, the default display 817 01:21:03,440 --> 01:21:09,440 graces your screen with the essence of discovered ports, hosts, and their secrets. To inscribe your 818 01:21:09,440 --> 01:21:16,240 findings for eternity, you can harness the power of output files. You can use O capital N to save 819 01:21:16,240 --> 01:21:24,400 as a text, O capital X to save as XML, O capital G to save as greepable file. Or you can use the O, 820 01:21:24,400 --> 01:21:29,280 a parameter saves the output of a scan in text, greepable, and XML formats. 821 01:21:48,240 --> 01:21:53,760 In the grand theater of network exploration, witness the mesmerizing display of scan statistics 822 01:21:53,760 --> 01:21:59,280 with the illustrious stats every option. Let the dance of information unfold before your eyes. 823 01:22:00,000 --> 01:22:02,960 Nmap stats every 2S, then your target. 824 01:22:08,560 --> 01:22:13,440 As you embark on the journey through the network realms, the mystical stats every option commands 825 01:22:13,440 --> 01:22:19,440 Nmap to unveil the status of the ongoing scan at regular intervals. In this incantation, 826 01:22:19,440 --> 01:22:24,000 every 2 seconds, the veil is lifted, revealing the secrets uncovered so far. 827 01:22:24,720 --> 01:22:29,120 Feel not the annui of a stagnant screen during language scans, for the periodic 828 01:22:29,120 --> 01:22:34,720 spectacle shall captivate your attention. The timing parameters are at your beck and call seconds, 829 01:22:34,720 --> 01:22:38,400 minutes, or hours anointed with the symbols S, M, or H. 830 01:22:43,360 --> 01:22:48,400 Absolutely, you've done a fantastic job to stick with this video in the intricacies of Nmap 831 01:22:48,400 --> 01:22:53,360 and its various scanning techniques. Now, with ZenMap stepping onto the stage, 832 01:22:53,360 --> 01:22:58,960 it's like having a magical wand to orchestrate these powerful scans effortlessly. ZenMap, 833 01:22:58,960 --> 01:23:03,920 with its user-friendly interface, turns complex Nmap commands into a visual feast. 834 01:23:04,480 --> 01:23:09,360 Just a few clicks and you're weaving spells with your scans. Whether you're on Windows, Mac, 835 01:23:09,359 --> 01:23:25,519 OS X, or the land of Unix Linux, ZenMap is there to make your scanning journey smoother than ever. 836 01:23:31,679 --> 01:23:35,920 Thanks for sticking with this video. I hope you found something valuable in the content. 837 01:23:36,480 --> 01:23:40,239 If there's anything more you'd like to explore, or if you have any questions, 838 01:23:40,239 --> 01:23:44,079 don't hesitate to let me know. Happy scanning, and stay curious. 839 01:23:44,640 --> 01:23:48,720 If you're interested in learning how to install Kali Linux, I recommend checking 840 01:23:48,720 --> 01:23:53,279 out the instructional video available. It provides a step-by-step guide for 841 01:23:53,279 --> 01:23:58,079 a comprehensive understanding of the installation process.