WEBVTT

00:00.000 --> 00:10.000
What is up guys, welcome back to a new video. Today we are going to tackle the
third part of the MNAP tutorial series, this time covering advanced MNAP commands

00:10.000 --> 00:21.000
After we have covered MNAP basic commands or MNAP basics and MNAP host discovery options in
the previous two videos, we are going to look at some more advanced MNAP commands this time

00:21.000 --> 00:31.000
Sometimes it is necessary to perform scans that will do something
else than the default TCP scan that MNAP runs per default on a target

00:31.000 --> 00:40.000
And those more advanced commands are used for example to detect
more exotic services or to evade firewalls, amongst many others

00:40.000 --> 00:46.000
I also, as usual, have a written article on this topic on
the website and I will put the link in the description below

00:46.000 --> 00:57.000
I recommend you to pull up this article, maybe even while watching this video or maybe after, because
there is an overview of all the commands and a short list or a short description of what they do

00:57.000 --> 01:03.000
So you have all commands within a good view
and you can go ahead and work with that

01:03.000 --> 01:13.000
Before we get started with the actual content, I encourage you to subscribe to my channel
by clicking on the little subscribe button on the lower right hand corner of the video

01:13.000 --> 01:25.000
It really helps me to grow the channel. I have very little subscribers only so far and I invest a lot of
time in there, so I really would appreciate if you show some love back and would subscribe to my channel

01:25.000 --> 01:37.000
It helps me to keep the project running and also if you like, go over to patreon.com, I have a patreon
set up there and you can become a patron by clicking on this button and you can help me out with it

01:37.000 --> 01:44.000
A little as $1 per month which helps me to keep
the server costs paid and keeps the project alive

01:44.000 --> 02:00.000
Thanks for that guys, let's get started with the actual tutorial. So the first command we are going to look at is the so called
TCP SIM scan and this scan scans for the daily most used TCP ports by sending SIM packages to a target and awaiting a response

02:00.000 --> 02:09.000
This nmap command is more on the surface side of things because it doesn't try to
connect to a target and you might be able to avoid being detected by a firewall

02:09.000 --> 02:14.000
I say might because it depends on
which system you are working against

02:14.000 --> 02:26.000
The actual command is sudo nmap tech ss 192.168.60.9
or whatever the IP address of your target hosts

02:26.000 --> 02:34.000
Please note that most of the advanced commands
require a sudo prefix to run them functionally

02:34.000 --> 02:42.000
Alright, so this was the TCP SIM scan and now we are going
to check out the next one which is the TCP connect scan

02:42.000 --> 02:53.000
To run this we don't need sudo, we can use nmap tech st and then the
IP address of our target and we can see that it is very quickly done

02:53.000 --> 03:02.000
And the TCP connect scan can be run without sudo as you see here
and it attempts to establish a plain connection to the target host

03:02.000 --> 03:14.000
This is a null G command so if stealth is a issue or being detected as an issue don't use
this command because it most likely will be detected by any modern RDS or even firewall

03:14.000 --> 03:25.000
Alright, next is the UDP scan. To do that you need
sudo again, so sudo nmap tech su 192.168.60.9

03:26.000 --> 03:36.000
and what this does is it is basically a valuable asset
for scanning services that use UDP like DNS or DHCP

03:36.000 --> 03:50.000
And I usually run a UDP scan but it sometimes can take a long time to finish like
you can see here and then you have to see if it is worth it for you to wait longer

03:50.000 --> 03:56.000
or if not I mostly then just cancel the
scan and go ahead and use the next one

03:56.000 --> 04:07.000
So the next is the TCP null scan and this is run by typing
sudo nmap tech fn and then the IP address of the target

04:07.000 --> 04:16.000
and the UDP null scan sends package without TCP flag and this
method is used to get the firewall to respond to the scan basically

04:16.000 --> 04:25.000
So this can be detected also by IDS, it's not very stealthy
either but you can see that you get return port here

04:25.000 --> 04:40.000
and it doesn't tell you if it's basically closed or open per se, it has both states here but
that's not the point of the command, it's just another way how to get some results from the target

04:40.000 --> 04:56.000
If all other scans fail you can try this out. Alright next is the TCP fin scan and this is
run by nmap tech ff, IP address of the target and this actually needs sudo as you can see here

04:59.000 --> 05:08.000
It should give us a result and there we go and the TCP fin
scan is used also to get a TCP echo response from a target

05:08.000 --> 05:17.000
and this is also another way to get around the firewall and maybe eventually
trigger a response from a target host, this is a little bit more stealthy again

05:18.000 --> 05:28.000
Next on the list is the XNAT scan, this is a funny sounding scan,
basically I can tell you a quote from MNAT's official documentation

05:28.000 --> 05:40.000
where it says it set the thin PSH and URG flags locking the packets up like
a Christmas tree so you can imagine what this does for your stealthy approach

05:40.000 --> 05:47.000
Exactly, that's nothing, you will be detected very
easily by running this scan and let's run it anyway

05:48.000 --> 05:58.000
And this is used to provoke a response from a target host behind the firewall
but as I said obviously it's a very nosy approach so it's rarely used

05:59.000 --> 06:11.000
Next on the list the TCPX scan and it's run by typing sudo
nmap tech ff and then the IP address of the target host

06:12.000 --> 06:17.000
and the TCPX scan is used to check if a
system is protected by a firewall or not

06:18.000 --> 06:24.000
If no RST response is given from the target system,
nmap assumes that the target system is still good

06:25.000 --> 06:30.000
If the target system returns an RST
response it will be set as unfiltered

06:31.000 --> 06:39.000
Ports being filtered is an indication that the system is behind a firewall and
unfiltered ports are most likely allowed through the firewall through specific rules

06:40.000 --> 06:51.000
So let's see what we have here, there is just written that
basically the host is up and that all the ports are unfiltered

06:52.000 --> 07:01.000
so this is probably false positive here because sometimes you get a
different response and it tells you actually if there is a filter or not

07:02.000 --> 07:16.000
But on this side of the scan, because I'm not sitting behind a firewall here, it's actually
true that those ports are indeed unfiltered and probably open or not behind a firewall

07:17.000 --> 07:22.000
Alright, move on to the next command
which is the IP protocol scan

07:23.000 --> 07:30.000
To run this we type sudo nmap tech fo and then
the IP address of the target which is 0.9 again

07:31.000 --> 07:36.000
And the IP protocol scan shows all
protocols that are supported by the target

07:37.000 --> 07:43.000
and this option is mostly used to determine what kind of
scans you will run against the system based on its protocols

07:43.000 --> 07:50.000
And you can find the list of all of the protocols by just
simply googling IP protocol list or something like that

07:51.000 --> 07:58.000
There is a Wikipedia article on the list of all IP protocol
numbers and this takes a longer time or can take a longer time too

07:59.000 --> 08:05.000
And for this example I'm going to censor it. Here
you can see the results of the scan on the website

08:06.000 --> 08:19.000
Alright, next on the list is the HTTP cookie echo scan
and it's run by running sudo nmap tech fz and 192.168.16.9

08:20.000 --> 08:27.000
Should be a little bit faster here, there we
go. And this scan is a little bit more advanced

08:28.000 --> 08:34.000
It's a pretty silent way of scanning because it drops
packets containing cookie echo chunks on open ports

08:35.000 --> 08:41.000
but it does send an abort
response if the port is closed

08:42.000 --> 08:48.000
This scan is pretty silent and also it can still
be detected by an IBS, by a well configured IBS

08:49.000 --> 08:54.000
But you can see here that it actually detected
way more ports than our previous scans

08:55.000 --> 09:12.000
and we can see that those ports are filtered. So I'm not exactly sure what this means because
maybe they are protected by the host that I'm attacking right now or that I'm scanning right now

09:13.000 --> 09:22.000
Maybe there is a firewall in place like a Linux firewall and that
might result in showing filtered ports here but I'm not 100% sure

09:23.000 --> 09:30.000
Just note that this is another possibility to run a scan.
Alright, the last scan that we have here is the idle scan

09:31.000 --> 09:41.000
So we do sudo nmap tech fi and then... This is a little bit more difficult, I
actually cannot show it to you right now because you need two hosts for that

09:42.000 --> 09:50.000
and I will explain that to you in a second. So first you would
put the local zombie host which is a computer on the network

09:51.000 --> 09:58.000
and because I don't have any other virtual machine up here now I cannot
do it but you find an example of this on the website as a screenshot

09:59.000 --> 10:04.000
And let's assume we had another host in the
system which would have .5 as an IP address

10:05.000 --> 10:10.000
and then we would put the IP
address of the target computer here

10:11.000 --> 10:15.000
and let's just see what this does.
Probably nothing because there is no .5

10:16.000 --> 10:22.000
and this scanning method runs a completely
blind TCP port scan against the target

10:22.000 --> 10:31.000
There are no packets sent from your own IP address. So this technique
uses a so-called zombie host to gather information about the target

10:32.000 --> 10:40.000
You basically specify this zombie host right here which is this one
which would be another host or client machine on a target network

10:41.000 --> 10:46.000
and the attack basically or the scan
would be stamped out from this host

10:47.000 --> 10:51.000
which makes it a little bit harder
for an IDS to detect your scannet

10:52.000 --> 10:57.000
I don't know, if you use it in the
field it's a very exotic scan method

10:58.000 --> 11:02.000
I'm not sure, I used it a few times but
I don't think I use it on any assignment

11:03.000 --> 11:09.000
because I'm not entirely sure what it does but as in
some other commands where I'm not 100% sure what they do

11:10.000 --> 11:17.000
I think as a conclusion you could say all those
advanced scanning techniques basically are

11:18.000 --> 11:25.000
as it says in the name they are advanced nmap
commands and they are used if the default scans fail

11:26.000 --> 11:31.000
So this is like a fallback for you. You should
just note that there are advanced scans

11:32.000 --> 11:38.000
in case any other scan you run against the system fails and you don't
get any results from any scan or you're being detected or whatever

11:39.000 --> 11:46.000
whatever your purpose is on the network or on the assignment
just know that there are very advanced scan methods

11:47.000 --> 11:56.000
that eventually will provoke a response from a very tight
system. And that being said guys, this is it with this video

11:57.000 --> 12:02.000
This was the first part of the nmap tutorial
series covering the advanced nmap commands

12:03.000 --> 12:12.000
and the next part most likely will cover the
highly desired NSE or the nmap scripting engine

12:13.000 --> 12:17.000
where are a lot of scans, nobody
of you probably heard of them

12:18.000 --> 12:26.000
because those are even more advanced scanning techniques
that include scripts that scan against certain services

12:27.000 --> 12:31.000
there is even a vulnerability scanning
script so this is a really interesting topic

12:32.000 --> 12:39.000
You can definitely include the NSE scripts or the
nmap scripting engine into your pen testing workflow

12:40.000 --> 12:44.000
because there are so many valuable scripts
to run against all kinds of different things

12:44.000 --> 12:50.000
and I need still to build a list of stuff I already
have commands that I use on most assignments

12:51.000 --> 12:56.000
but I want to compile a list of things that are what
I think most valuable to run against the target

12:57.000 --> 13:02.000
And that's what we're going to cover in the
next one and for this we can call it a day

13:03.000 --> 13:10.000
Please do subscribe to the channel once again in the lower right corner just
hit that little subscribe button in the lower right corner of the video

13:11.000 --> 13:16.000
I would be highly appreciative of that and
I hope to see you back in the next video

13:17.000 --> 13:20.000
I hope you enjoyed it. See
you, thanks for watching