[0:00]Hi guys, in our last session, we have seen like how the TCP three-way handshake works. Now, over here, guys, after that, we are having your TCP, your four-way handshake. Now, here guys, what we will be doing is, we will be going ahead and we are going to complete our this scanning module, right? And for that, over here, like in our last session, we have seen how the communication it is getting started. After that, what we will be doing is, we are going to discuss about like how the connection it got terminated in your TCP. So, for that, let's say I'm having my Kali and here I'm having my Metasploitable machine. Now, let's say we have started a communication, right? After that, my Kali, it wants to end this particular session with this Metasploitable machine. So for that, we are going to send your finish or we are going to send your fin flag. What it will be doing is, it will be informing to this target machine that boss, we want to terminate the session. Now, let's say over here, over this Metasploitable machine, whatever the data it was either receiving or it was sending over there, that particular task was not done properly. Right? It still, it has to wait for some couple of minutes to successfully receive all the data. So, for that, it will be replying back and that particular reply is going to be just your acknowledgment. It will be sending us a flag that is going to be your acknowledgment that will be acknowledging to this user, to our Kali, that okay, you want to terminate the session, no problem with that. I have successfully received your finish request. But, you have to wait for some couple of minutes for me so that I will be successfully able to connect all that information. Once all the information will be getting received by your Metasploitable machine, it is going to then send another flag that is going to be your fin.
[2:15]With the help of that, it will be informing to our machine that yeah, we have successfully received the packet. Now, if you want to terminate the session, we can do it, no problem with that. And, on the basis of that, our machine, it will be sending the acknowledgment. Right? So, this is how, guys, in our your TCP, we are terminating the session. Right? Although, we are also having another flag that is present, which we call as your reset, or it is being written as your RST. But, when we are talking about this reset flag, what it will be doing is, although it is also terminating the session, but it will be terminating a session in a very abrupt manner. Means that without taking any type of acknowledgment from the second party, it is going to terminate the session, right? So, generally, we are using the research when we are finding that we are not properly able to close the connection. So, that is why, we are using your reset plug. So, let's go ahead, let's try to see how all these scan works. Right? Now, over here, guys, as we have used our Nmap in our last session, we have seen how we can go ahead and we will be able to find the information about your target. Right? So, for that, the first thing first, I have config was there, then after that, we were performing the RP scan. Using that, we were able to find the target's IP address like this. Now, over here, if we want to launch the finish scan, so for that, we are writing `sf` and capital F. Now, since we have already seen what are the other packets that are available in your target, so that is why, I'm not going ahead, I'm not trying to look for each and every port. Instead of that, I'm specifically looking for the port number 21. Now, let me also show you the Wireshark so that it will be showcasing us the information, like what is happening in the background.
[4:27]Attho, I will be hitting enter. So, in the Wireshark, you will be able to see the packets that are related with it. Here, you guys can see we are having the fin request that is getting sent from your machine. 129, we are having.
[4:55]Right? So, from here, we can see that our particular machine, it was sending directly the fin request. Now, over here, with the help of that, this time, you will be finding that instead of just writing open, we are finding something written as the open filtered. As we have previously discussed about the open filtered, it means to say our Nmap it is not properly able to determine whether our target it is really open or not. Whether that particular target port, it is really open or whether it is getting filtered out from your power walls or some other security solution. So, for that, we are getting the open filtered. Now, guys, when we are talking about this fin scan, let me tell you what our Nmap it was doing in the background. Here, we are having the Nmap fin scan. Now, in this particular scenario, here we are having again our Kali. Let me also mark it. Then, over here, we are having our Metasploitable machine.
[6:15]Now, over here, you will be finding that our Kali, what it is, it sent your fin. Right? It sent your fin flag to your Metasploitable machine. But, if you guys will be going back to your Wireshark, you will be finding that we are not getting any type of reply from your this 129. If I will be even removing it, I will be writing IP address and I will be specifically writing the IP address of your Metasploitable machine to see what are all the, uh, you can say, communication that happened with your Metasploitable machine over there. And from here, you will be finding that what is happening is, for this fin, right? We are just having the two requests that are getting presented over here from your Kali. It means that we have not received any type of reply from your Metasploitable machine. Now, over here, our Nmap, what it will be doing is, when it will be sending the fin request to your Metasploitable machine, right? So, over here, if our Metasploitable machine is not providing us any type of reply, right? If your Metasploitable machine, it is not providing us any type of reply over there, so what it will be doing is, it will be going ahead and it is going to consider that particular port as the open one.
[7:44]Now, let me tell you, for example. Now, let's say, guys, we are going in the market and we are finding a complete stranger, we do not know him. But, over here, he will be going ahead and he will be coming towards our location, he will be waving his hand, he will be, you can say, directly trying to start the communication. Right? Or let's say, we will be finding a complete stranger and he will be directly saying goodbye or he will be saying finish. So, we are going to find that particular situation as the awkward one. Right? Or a completely messy situation. So, that is why, what we are going to do is, in a normal scenario, we are going to ignore him because he's just simply coming to our side and he's saying goodbye, so we are going to ignore him. So, same sort of task will be also done. Right? If the port will be open, it is not going to provide us any type of reply. But, if that particular port, it will be open, right? It was not providing us any type of reply and if the port will be closed, then it will be providing us a reply but that particular reply it is going to be your reset arc.
[9:01]Right? In this particular scenario, what it will be doing is, it will be saying that boss, I hope that this is not a proper way to start the communication. So, let's do one thing, let's start the communication from your beginning. So, for that, it is sending us the reset acknowledgment. So, that is what has happened over here, with the help of that, we have seen what was happening was, our Nmap it was performing the scan, the fin scan specifically on the port number 21. And since the port it was open, we didn't receive any type of reply. But, instead of that, if I will be going ahead and I will be providing it somewhat other number. Like, let's say, I'm writing the port number as your 20. I will be going back to your Wireshark to restart this capture and I will be waiting in the top. Right? Here we are finding that it is written as the closed. If I will be going back to my Wireshark, you will be finding that from your Kali, we have sent it the fin request and on the basis of that, our Metasploitable machine, it provided us the reset up to restart this communication from the beginning. So, this is how, with the help of your fin scan, we will be able to discover whether our target port it is open or not. Now, similar to this fin scan, we are also having something known as your Xmas scan.
[10:31]For using your Xmas scan, we have to write X. Now, in the Xmas scan, similar to your fin scan, what we will be doing is, we will be going ahead. Right? We will be sending your flags, but at that particular period of time, instead of sending just a single flag, we are going to send three flags together. That is going to be your fin, push and urge that stands for the urgent. Right? So, over here, guys, since we are sending the three flags together over there, what will be happening is, the scenario is going to be the same, if the port will be open, no reply will be given, if the port is not open, we will be receiving the reset up. Right? So, over here, let's try to perform it, like how it works. Let me write IP address 129. And you will be finding that what we are doing is, this was the previous packet that was only your fin. And here we have sent it the fin, push and urge. And on the basis of these flags, we are not receiving any type of reply. Now, if I will be again trying to perform it with the port number 20. You will be finding that what it is doing is, it is providing us the reset arc, which is indicating that our target is not reachable, our target port is not reachable. Now, over here, guys, the reason why we were looking into the fin scan, the Xmas scan, the UDP scan, the TCP scan, as well as the acknowledgment scan, because over here, what we are trying to do is, we're just trying to find any method which will be helping us to find the information about them. See, over here, it is not like that if I'm having the information about only, let's say, if I'm only having the information about your TCP scan. So, let's say if the TCP scan is blocked, so we won't be able to perform your network scanning. That is why, what we are doing is, we are looking into the different, different methods which will be helping us to perform your scanning. Right? Here, our Nmap, they are also having something known as your aggressive scan. In the aggressive scan, they will be going ahead and they will be providing us the more detailed information. Let's say I'm just using the port number 21 that is we are having for the FTP. If I will be hitting enter, you will be finding the information. Our Nmap this time for the port number 21 that is we are having as the FTP, like this, right? They are providing us a much more detailed information as compared to the previous scan which we have performed. Reason, because they are using your NSC which we have previously discussed. The Nmap script engine. Our Nmap, they are having the scripts that will be helping us to collect the more detailed information from the target. Right? So, over here, guys, these scripts they are being written in the Lua language. If you guys are good with the Lua, you guys can write your own script also. Right? Now, over here, if you want to see the information about your script, you guys can write locate Nmap scripts that will be providing you the information about what are the scripts that are present, what is the location we are having for the Nmap scripts inside of your system.
[14:15]If you want to see the total number of the scripts that are present inside of your system, so for that, you guys can write locate Nmap scripts and here, guys, we are going to add a pipe. When we want to add two or more than two commands all together, so for that we are using these pipes. So, we will be writing pipe and then we are going to write word count `wc -l`, which is we are having for the line. So, it will be going ahead, whatever the output we have gotten for the first command, it will be getting used as a input for the second command. With the help of that, we will be able to find the information about the total number of lines that are present. Let's try it on. See, over here, these are the scripts that are present inside of your system. Inside of your user, share, Nmap, scripts and these are the scripts name. If you want to see the total number, we can write simply word count `-l`. So, right now they are saying that I got you 611 scripts. Right? And, if we will be going back to your scan, you will be finding the information that our Nmap for your FTP, they only launched a script that was your FTP system. Another one was your FTP anon. But, if I will be looking for the total number of scripts that are present for your FTP. Grep FTP. So, these are the total scripts that are present for your FTP. But, out of these 10 scripts, they only launched the two script over there. Right? So, that is what our aggressive scan will be doing, what it will be doing is, it will be going ahead and it will be collecting the information all together about the open ports. Right? As well as it will be providing us the information about the operating system, the MAC address of your target, as well as it will be also running the scripts for us. It can also provide us the information about the the service version we are having for, uh, the ports that are running over there, the services that are running. So, whenever we are trying to collect all these information all together, we are having a term, which we call as the banner grabbing. So, if in our upcoming session, we will be talking about the banner grabbing, it means that we are talking about collecting the information about all these areas. Right? But, the problem is, since our Nmap, it is going ahead and it is trying to collect all these information in a single go, so that is why, it can create a lot of noise. Right? So, that's why, instead of writing all these options all together, right? Or instead of, uh, directly running our aggressive scan, we are going ahead and we are using some different, different combination according to our name. Let's say, you just want to find the information about the open ports, then we are having the options which we have used. If you just want to run the default scripts, for that we are having the option `sc` that will be launching the default Nmap scripts. Right? It is not going to use all your 611 scripts instead of just the default one. Right? If you want to find the information about the operating system, you guys can write `-O`. If you want to find the information about what are the service version we are having, we can write `-sV`. And we are having the `p`, which we are using for the ports, as well as if you guys want to find the information about the firewall, then we are having the option `-sA` that will be your acknowledgment scan.
[18:24]Which will be providing us the state of the firewall. Right? As well as many a time, we also need to bypass the security controls that are present, like the firewall that will be working in your target system.
[18:40]So, for that, what we are doing is, we are using some bypass techniques we are having. For example, if I will be going back to our Kali, and I will be writing Nmap help. So, from here, you will be finding the options which we are having firewalls or the IDS evasion and the spoofing techniques. What they will be doing is, they will be helping us to bypass the security control that is present. Like we can perform the decoy scan, we can spoof our source IP address. Right? We can specify a particular interface from where you want to perform the scan. Even we are also having the option of your fragmentation. Means that we can break a particular packet into smaller, smaller pieces. Like `-f`, I will be writing 100. So, whatever the packet which we are trying to send, it will be going to break it into your thousands of pieces. That's what we are having as your fragmentation. Right? So, guys, we will be discussing about these evasion techniques in our upcoming module, that is your evading IDS.
[19:51]Firewall, uh, your IPS and the honeypots. Along with that, they are also having the option of your output. Now, over here, you guys have seen we were trying to perform your scan, but what is happening is, once we are closing our system, that particular scan, uh, we are not able to find any information about it. Right? So, that is why, over here, what we will be doing is, we are having like this output option, with the help of that, we will be able to, we will be able to save the output of your Nmap inside of your file so that later on, we can also send that particular information to your higher-ups, to your peers, as well as we can also use it for the later analysis. So, I just created a directly with the name scan. I'm getting inside of that. And, over here, we will be writing `-O`, that is we are having for the output. And, I'm going to write capital A. Capital A stands for all. Our Nmap, it is having the three formats that are getting used by it. That is we are having Gmap, Nmap and the XML. Right? So, with the help of that, you guys can see now we are able to get this particular scan result inside of your system. So, that later on, we can utilize it. And, even if you guys want to see this particular information into a more organized manner, so for that, we can go ahead and we can use the HTML. We can convert this particular data into your HTML. For that, we are having your small utility xslt proc. Meta.xml. hyphen O, that is we are having for the output meta dot HTML. It has now created a HTML file. So, let's try to launch it.
[22:16]If I will be opening it, it is going to open this particular report over my browser and from here, in a more clear manner, you guys will be able to find the information about it.
[22:31]So, that is what we are having as your the output.
[22:40]Right? From here, you will be able to find the information about the service, the product, the version, the reason why we are getting this particular information, what are the scripts they are using, like your FTP anon, right? They are providing us the information, anonymous login is allowed. FTP, the result of your system, we are finding and many more.
[23:01]Right? Here, we are also finding the information about the operating system of your target. So, that is, guys, we are having as the output option. Even, we can also control the speed of your Nmap. Right? A lot of time, what is happening is, we are also trying to bypass the security controls. And when we will be trying to bypass those security controls, we will be going ahead and we will be trying to manage the speed of your scan. Like, we are going to make it that slow that even our the IDS IPS or the time-based rules, they won't be able to detect. So, for that, what we can do is, we are having like these timing options. Right? So, here we are having the timing that is going from your 0 to 5. 0, 1 and 2, they are considered as your quite slow, right? Which we are using when we are trying to bypass the security controls. If you want to get the result more quickly, right? If you guys want to get the results in a more quicker manner. So, for that, what we have to do is, we need to go ahead and we have to use the option like your three, four and five. Although, the option number three is being considered as the default one, which is getting used when we are not providing any type of information about the timing. Right? So, on the basis of that, if you guys want to use it, we can just write `-T` and let's say I'm writing four. If I will be hitting enter, quickly, it will be trying to provide us the information.
[24:55]Right? You guys can see your scan has been completed in your 1.82 seconds. Instead of your four, if I will be providing zero, this time, you will be finding that it is going to take a more time. As compared to our previous one, even they have not initiated any type of communication so far. While I'm hitting enter, they are not providing me any type of result.
[25:57]So, this is how we are able to find the information that whatever the scan which we were trying to perform, right? It is going too slow over here. So, that is how we will be able to control the timing for your Nmap scans. Right? So, over here, guys, what we have done is, in this scanning module, we have seen like whether the target is live or not.
[26:28]Right? By using our tools, like your ping or your HPing three, right? Then after that, we have seen the information through your Nmap by finding the information what are the open ports we are having. As well as by using the same Nmap, we have also seen what are the services that are running. Right? Now, after that, guys, we will be moving into our next module, right? That is we are having as your enumeration. In the enumeration, we will be going ahead and we will be trying to collect a more detailed information about these identified info.
[27:10]Right? We will be looking into much more thoroughly over there. So, with the help of that, we will be able to utilize that knowledge when we will be trying to gain the access of a target system.
