1
00:00:00,000 --> 00:00:09,360
Network scanning is a critical and foundational technique in the field of cybersecurity, serving

2
00:00:09,360 --> 00:00:13,880
as an essential part of both offensive and defensive strategies.

3
00:00:13,880 --> 00:00:20,480
It allows security professionals to map out a network infrastructure, identify vulnerabilities

4
00:00:20,480 --> 00:00:25,840
and maintain the visibility of network devices and systems.

5
00:00:25,840 --> 00:00:32,000
By scanning the network professionals are able to detect open ports, running services and

6
00:00:32,000 --> 00:00:35,720
potential weaknesses that could be exploited by the attackers.

7
00:00:35,720 --> 00:00:40,760
Conversely, attackers use network scanning for reconnaissance, gathering information

8
00:00:40,760 --> 00:00:46,240
on available targets before launching more targeted attacks like exploits or denial

9
00:00:46,240 --> 00:00:48,280
of service attempts.

10
00:00:48,280 --> 00:00:53,560
The process of network scanning typically starts with host discovery which identifies

11
00:00:53,560 --> 00:00:56,400
live devices on the network.

12
00:00:56,400 --> 00:01:04,320
This can be achieved through tools that leverage address resolution protocol or ICMP using ping

13
00:01:04,320 --> 00:01:10,600
sweeps, both of which are methods to determine which devices are currently active and responsive

14
00:01:10,600 --> 00:01:13,560
within a specific range.

15
00:01:13,560 --> 00:01:19,440
Once the live hosts are identified, scanning continues with port detection, where the

16
00:01:19,440 --> 00:01:24,960
objective is to determine which ports are open, closed or protected by firewalls.

17
00:01:24,960 --> 00:01:31,680
This is crucial because open ports often expose services that could potentially be attacked.

18
00:01:31,680 --> 00:01:38,400
Several techniques exist for port scanning, including SYN scans which are stealthy and

19
00:01:38,400 --> 00:01:45,240
not complete a full TCP handshake, making them harder to detect, connect scans which

20
00:01:45,240 --> 00:01:53,040
complete the full handshake and are thus easier to detect, and more evasive methods such as

21
00:01:53,040 --> 00:01:56,960
null scans, fin scans and or Xmas Tree scans.

22
00:01:56,960 --> 00:02:02,440
These methods vary in their detectability and can be used depending on the attackers

23
00:02:02,440 --> 00:02:07,520
need to avoid detection or bypass specific security mechanisms.

24
00:02:07,520 --> 00:02:12,560
Once the port scanning phase is completed and that the state of the ports, open, closed,

25
00:02:12,560 --> 00:02:17,240
filtered, is known, the next is service enumeration.

26
00:02:17,240 --> 00:02:23,720
Service enumeration goes a step further by identifying the specific services running on

27
00:02:23,720 --> 00:02:24,920
open ports.

28
00:02:24,920 --> 00:02:30,360
This can be done through techniques like banner grabbing where the attacker sends a request

29
00:02:30,360 --> 00:02:35,520
to the service and analyzes the response for information about the service version

30
00:02:35,520 --> 00:02:37,160
or configurations.

31
00:02:37,160 --> 00:02:42,360
For example, a simple HTTP request to a web server might reveal the server type.

32
00:02:42,360 --> 00:02:48,360
For example, if it is using Apache or NGINX and its version.

33
00:02:48,360 --> 00:02:54,600
Service enumeration allows security professionals to identify outdated services, misconfigurations

34
00:02:54,600 --> 00:03:00,800
or services that are unnecessarily exposed, which can be exploited by the attackers.

35
00:03:00,800 --> 00:03:06,000
A real-world example of network scanning would be a systems administrator scanning their

36
00:03:06,000 --> 00:03:13,680
internal subnet, for example, .1.0, to identify active hosts, open ports and services.

37
00:03:13,680 --> 00:03:18,640
The administrator could use Nmap, a popular network scanning tool, to perform a scan

38
00:03:18,640 --> 00:03:27,120
with various tools like -sS for a SYN scan, -sV for service version detection,

39
00:03:27,120 --> 00:03:31,440
and -O for operating system fingerprinting.

40
00:03:31,440 --> 00:03:39,160
Running a command, such as Nmap -sS -sV -O, would return a comprehensive map of the

41
00:03:39,160 --> 00:03:45,320
network listing active directories, active hosts, their open ports, the services running

42
00:03:45,320 --> 00:03:50,600
on these ports, and the operating systems of the devices.

43
00:03:50,600 --> 00:03:57,800
This map enables the administrator to detect risks, unauthorized devices, or vulnerable

44
00:03:57,800 --> 00:04:02,560
services that might be exposed to the threats.

45
00:04:02,560 --> 00:04:09,000
Network scanning is typically broken down into three sequential phases, host discovery, port

46
00:04:09,000 --> 00:04:11,560
scanning, and service enumeration.

47
00:04:11,560 --> 00:04:16,280
Each phase builds upon the previous one, creating a comprehensive picture of the network and

48
00:04:16,280 --> 00:04:18,600
its associated risks.

49
00:04:18,600 --> 00:04:24,560
Host discovery, the first phase of network scanning is host discovery, where the objective

50
00:04:24,560 --> 00:04:29,200
is to identify which devices or systems are active on a network.

51
00:04:29,200 --> 00:04:34,840
Host discovery can be achieved using different techniques, such as ICMP echo requests, using

52
00:04:34,840 --> 00:04:40,960
ping commands, ARP requests for local networks, or TCP UDP probes.

53
00:04:40,960 --> 00:04:45,280
Tools like Nmap and ARP scan are often used for this purpose.

54
00:04:45,280 --> 00:04:51,280
For example, a penetration tester might run the command Nmap -sn, and then the network

55
00:04:51,280 --> 00:04:56,520
IP, to perform a ping sweep across a corporate subnet.

56
00:04:56,520 --> 00:05:02,600
This scan will return a list of active hosts, which are the devices or systems currently

57
00:05:02,600 --> 00:05:06,080
responding and connecting to the network.

58
00:05:06,080 --> 00:05:11,840
Host discovery is a crucial first step, because it helps the tester focus efforts on live

59
00:05:11,840 --> 00:05:15,280
devices, ignoring those that are offline.

60
00:05:15,280 --> 00:05:21,160
The port scanning, once active hosts are identified, the next phase is port scanning.

61
00:05:21,160 --> 00:05:28,680
That determines which communication endpoints the ports are open on the live hosts.

62
00:05:28,680 --> 00:05:35,000
By probing these ports, the tester can assess the state of each port, whether it is open,

63
00:05:35,000 --> 00:05:39,240
closed, or filtered by a firewall, or other reason.

64
00:05:39,240 --> 00:05:45,040
Different types of port scanning techniques exist, including SYN scans, connect scans,

65
00:05:45,040 --> 00:05:48,840
-sT, and UDP scans, -sU.

66
00:05:48,840 --> 00:05:53,080
SYN scans are typically favored for stealth, as they only send the SYN packet without

67
00:05:53,080 --> 00:05:55,760
completing the TCP handshake.

68
00:05:55,760 --> 00:06:01,480
For example, after conducting a SYN scan, the tester might find that port 80 or port

69
00:06:01,480 --> 00:06:07,240
22 for SSH are open on several hosts, providing valuable information on the services

70
00:06:07,240 --> 00:06:09,240
running on those systems.

71
00:06:09,240 --> 00:06:10,920
Then it's service enumeration.

72
00:06:10,920 --> 00:06:15,520
The final phase of the network scanning is called service enumeration, where the

73
00:06:15,520 --> 00:06:20,520
goal is to gather detailed information about the services or applications running on the

74
00:06:20,520 --> 00:06:22,520
identified open ports.

75
00:06:22,520 --> 00:06:26,560
This step is essential, because it helps to identify potential vulnerabilities or

76
00:06:26,560 --> 00:06:28,560
misconfigurations.

77
00:06:28,560 --> 00:06:34,880
Service enumeration typically uses version detection, -sV, or using more advanced

78
00:06:34,880 --> 00:06:40,000
methods like Nmap scripting engine, NSE, to interact with services and determine

79
00:06:40,000 --> 00:06:42,040
their exact configurations.

80
00:06:42,040 --> 00:06:48,640
For example, the tester might run the Nmap command using -sV to identify service

81
00:06:48,640 --> 00:06:49,640
versions.

82
00:06:49,640 --> 00:06:58,400
This can reveal that the host running HTTP on port 80 is using Apache 2.4.2.9 and SSH

83
00:06:58,400 --> 00:07:04,720
on port 22 that is using open SSH version 7.6, for example.

84
00:07:04,720 --> 00:07:09,120
Such information is very valuable for your penetration testers, because it can be

85
00:07:09,120 --> 00:07:14,840
highlighted outdated or vulnerable software that needs to be patched.

86
00:07:14,840 --> 00:07:19,800
An example scenario considers a penetration tester that evaluates a corporate

87
00:07:19,800 --> 00:07:24,080
subnet such as 10.0.0.0.

88
00:07:24,080 --> 00:07:30,200
The tester begins the host discovery, running a ping sweep or ARP scan, then

89
00:07:30,200 --> 00:07:33,720
to identify 12 active hosts on the network.

90
00:07:33,720 --> 00:07:38,200
These are devices that are connected inside the network.

91
00:07:38,280 --> 00:07:44,560
They perform a SYN scan on each of the identified hosts to probe for open ports,

92
00:07:44,560 --> 00:07:49,680
revealing that ports 80 or 22 are open to some of the devices.

93
00:07:49,680 --> 00:07:54,080
After identifying the open ports, the tester moves to a service enumeration

94
00:07:54,080 --> 00:08:00,680
and tries to determine the version of each system, Apache version X and open SSH.

95
00:08:00,680 --> 00:08:06,480
This version information is critical and might have well-known vulnerabilities.

96
00:08:06,480 --> 00:08:11,520
The tester can now recommend specific mitigations, such as patching those

97
00:08:11,520 --> 00:08:15,080
versions to prevent exploitation by the attackers.

98
00:08:16,840 --> 00:08:22,000
After identifying the live host, the Nmap tool can perform detailed port scans

99
00:08:22,000 --> 00:08:26,160
to identify which ports are open as we explained before.

100
00:08:26,160 --> 00:08:30,880
However, when dealing with large networks of vast address spaces,

101
00:08:30,880 --> 00:08:33,000
speed becomes a significant factor.

102
00:08:33,000 --> 00:08:35,400
This is where Masscan shines.

103
00:08:35,400 --> 00:08:41,120
Unlike Nmap, which is known for detailed scan, Masscan is optimized for speed.

104
00:08:41,120 --> 00:08:44,920
I can send millions of packets per second, making it extremely fast

105
00:08:44,920 --> 00:08:49,760
for conducting initial reconnaissance across large IP ranges.

106
00:08:49,760 --> 00:08:55,080
Masscan uses its own TCP IP stack, which enables the tool to scan

107
00:08:55,080 --> 00:08:59,280
entire subnets or large networks rapidly.

108
00:08:59,280 --> 00:09:03,280
For example, if a security analyst is tasked with scanning a large

109
00:09:03,280 --> 00:09:08,400
organization network, they might use Masscan with a command like

110
00:09:08,400 --> 00:09:15,680
Masscan and then the network IP.0.0, the specific -p and the port numbers

111
00:09:15,680 --> 00:09:21,440
and the rate that defines how much size the packets would be,

112
00:09:21,440 --> 00:09:26,000
which will scan an entire subnet at a very high rate for common ports

113
00:09:26,000 --> 00:09:31,440
like SSH, which is in 22, HTTP or the HTTPS.

114
00:09:31,440 --> 00:09:36,800
This rapid scanning capability allows the analyst to quickly identify which ports are up

115
00:09:36,800 --> 00:09:43,280
and which ports are open, providing a list of potential targets for further investigation.

116
00:09:43,280 --> 00:09:47,200
Once Masscan has identified active hosts and open ports,

117
00:09:47,200 --> 00:09:51,760
Nmap is typically used to perform more detailed scans on these targets.

118
00:09:51,760 --> 00:09:55,040
For instance, we can use the tags that we used before,

119
00:09:55,040 --> 00:10:00,640
like -sV, -O to conduct SYN scans and so on.

120
00:10:00,640 --> 00:10:05,120
This will provide details on the version of the Apache and so on.

121
00:10:05,120 --> 00:10:09,920
For those who prefer a more visual interface to manage network scans,

122
00:10:09,920 --> 00:10:15,280
ZenMap is a great choice. ZenMap is an official graphical user interface for

123
00:10:15,280 --> 00:10:20,560
Nmap designed to make the Nmap powerful features more accessible to users

124
00:10:20,560 --> 00:10:25,200
who may not be very comfortable with command line operation.

125
00:10:25,200 --> 00:10:30,000
ZenMap provides an intuitive interface for configured Nmap scans and

126
00:10:30,000 --> 00:10:35,440
displaying the results visually. It simplifies the process of choosing scan types,

127
00:10:36,240 --> 00:10:42,080
setting targets and intercepting results while Nmap requires detailed command line input

128
00:10:42,080 --> 00:10:46,960
to configure scans. ZenMap offers a user-friendly alternative,

129
00:10:46,960 --> 00:10:53,440
which can be especially helpful for network administrators and less experienced users

130
00:10:53,440 --> 00:10:58,000
who still want to leverage the full power of Nmap for the scanning capabilities.

131
00:10:58,000 --> 00:11:05,920
Angry IP scanner is another tool that offers simplicity and ease of use for basic network scanning tasks.

132
00:11:08,240 --> 00:11:15,200
This tool makes excellent tools for administrators or users to make the scans.

133
00:11:17,200 --> 00:11:25,920
Finally, Netcat, or as it's called NC, is a versatile tool that is often underappreciated,

134
00:11:26,000 --> 00:11:29,600
but incredibly powerful when it comes to network testing.

135
00:11:29,600 --> 00:11:37,120
Netcat is an open command line utility that can be used to test and open ports and data

136
00:11:37,120 --> 00:11:41,920
between the devices and different established factors in team exercises.

137
00:11:41,920 --> 00:11:48,240
One of the most common uses for Netcat is banner grabbing, which involves connecting to an open port

138
00:11:48,240 --> 00:11:52,080
to extract information about the service running on that port.

139
00:11:52,080 --> 00:11:58,880
For instance, if the analyst finds an open HTTP port on 8080,

140
00:11:58,880 --> 00:12:04,400
they can use Netcat to manually interact with the service by typing NC,

141
00:12:04,400 --> 00:12:08,320
Netcat, the IP address, and then the port number.

142
00:12:08,320 --> 00:12:14,240
This could allow the analyst to send a very low-level HTTP requests

143
00:12:14,240 --> 00:12:18,400
or receive banners that reveal the service version and other details

144
00:12:18,400 --> 00:12:22,000
that might be useful for identifying the vulnerabilities.

145
00:12:23,840 --> 00:12:29,120
Returning back to Angry IP Scanner, it's a lightweight cross-platform.

146
00:12:29,120 --> 00:12:33,200
It's ideal for quickly determining which devices are active on the network.

147
00:12:33,200 --> 00:12:38,480
It's like the mass scan or the Nmap scanning to identify open devices

148
00:12:38,480 --> 00:12:40,240
that are connected to the network.

149
00:12:40,240 --> 00:12:44,480
This makes it an excellent tool, Angry IP Scanner, for users to

150
00:12:45,440 --> 00:12:49,840
to conduct a fast enumeration and to check the health and so on.

151
00:12:49,840 --> 00:12:50,960
But it's very intrusive.

152
00:12:52,320 --> 00:12:58,080
In practice, a security analyst may combine those tools in a layered approach to scanning.

153
00:12:58,080 --> 00:13:03,200
First, they might use a mass scan to quickly identify live hosts and open ports across a

154
00:13:03,200 --> 00:13:05,040
large address space.

155
00:13:05,040 --> 00:13:11,520
Once potential targets are identified, Nmap can be used to conduct more in-depth analysis,

156
00:13:11,520 --> 00:13:16,720
revealing the services running on those open ports, and identify their versions.

157
00:13:16,720 --> 00:13:22,640
If there is a suspicious service is found, the analyst can use Netcat to manually interact

158
00:13:22,640 --> 00:13:27,840
with the service, retrieve banners, or probe further using crawl packets in a low level.

159
00:13:28,400 --> 00:13:35,680
For less experienced users, they can use a host discoverer like Angry IP Scanner or ZenMap

160
00:13:35,680 --> 00:13:40,160
that it's very simple to use and a more approachable way to perform,

161
00:13:40,160 --> 00:13:45,360
but it's like if you need more advanced tools and more advanced configurations,

162
00:13:45,360 --> 00:13:48,000
eventually you go to the Nmap scanning.

163
00:13:48,880 --> 00:13:49,280
That's it.

164
00:13:50,960 --> 00:13:55,360
Each tool in the Net Cross Scanning toolkit brings unique advantages and technical

165
00:13:55,360 --> 00:14:00,160
trade-offs, depending on the specific goals and circumstances of the scan.

166
00:14:00,160 --> 00:14:06,480
Nmap is an industry standard tool known for its versatility and depth of functionality.

167
00:14:06,560 --> 00:14:10,240
One of the key strengths is nmap scripting engine, the NSE scripts,

168
00:14:10,240 --> 00:14:15,120
which allows users to automate a wide variety of tasks such as vulnerability scanning,

169
00:14:15,120 --> 00:14:21,440
brute forcing credentials, and even performing complex service detection, or DoS attacks.

170
00:14:21,440 --> 00:14:27,600
Nmap also excels at stealth scanning, enabling different configuration options,

171
00:14:27,600 --> 00:14:34,640
and other advanced settings, which makes it harder for intrusion detection systems to

172
00:14:34,640 --> 00:14:40,320
detect if they are used very advanced, so very sophisticated.

173
00:14:40,320 --> 00:14:45,440
These capabilities make Nmap ideal for comprehensive network assessments that

174
00:14:45,440 --> 00:14:48,880
are deep insight into services and vulnerabilities.

175
00:14:52,720 --> 00:14:58,240
We have seen Netcat and MassScan and all of these tools that can be used for the

176
00:14:58,240 --> 00:15:04,000
network scanning. However, network scanning, regardless of the tool that is used,

177
00:15:04,000 --> 00:15:07,440
is not without legal and ethical considerations.

178
00:15:07,440 --> 00:15:12,960
Unauthorized scanning, even if done with the intent of improving security,

179
00:15:12,960 --> 00:15:16,160
can lead to significant legal consequences.

180
00:15:16,160 --> 00:15:22,640
For example, laws like the computer fraud and abuse act CFAA in the United States,

181
00:15:22,640 --> 00:15:26,320
or the cyber crime directive in the European Union,

182
00:15:26,320 --> 00:15:32,080
make it illegal to access or tamper with computer systems without authorization.

183
00:15:32,080 --> 00:15:37,280
In some cases, even conducting simple reconnaissance activities such as port scanning

184
00:15:37,280 --> 00:15:43,520
may be considered a violation of these laws, particularly if the scan is intercepted

185
00:15:43,520 --> 00:15:50,080
as a precursor to an attack. Ethically, network scanning should always be performed

186
00:15:50,080 --> 00:15:55,120
with the appropriate permissions. Security professionals are expected to follow

187
00:15:55,120 --> 00:16:00,400
responsible disclosure practices, ensuring they have explicit authorization

188
00:16:00,400 --> 00:16:04,720
before conducting any scans. Disauthorization is typically granted

189
00:16:04,720 --> 00:16:11,040
through rules of engagement or ROE, or contracts that outline the scope,

190
00:16:11,040 --> 00:16:16,400
goals and boundaries of the scan. These documents serve as a legal safeguard for

191
00:16:16,400 --> 00:16:21,360
both the professional and the organization, ensuring that the scanning activities are

192
00:16:21,360 --> 00:16:28,640
in the line with ethical guidelines and do not inadvertently disrupt services

193
00:16:28,640 --> 00:16:34,160
or breach user privacy. By adhering to ethical guidelines and legal framework,

194
00:16:34,160 --> 00:16:40,160
security professionals can ensure their scanning activities contribute to improving

195
00:16:40,160 --> 00:16:44,640
security than unintentionally causing any harm.

196
00:16:46,800 --> 00:16:51,200
Let's break down the scenario where Network Administrator is auditing a local

197
00:16:51,200 --> 00:16:57,840
subnet.1.0 for example. Users can map to gain insights into the active devices

198
00:16:57,920 --> 00:17:02,480
and services within the network. The process starts with a simple host

199
00:17:02,480 --> 00:17:07,360
discovery step. The administrator runs their command Nmap -sn,

200
00:17:07,360 --> 00:17:13,840
and then the IP of the network. This command sends ICMP echo requests, also as

201
00:17:13,840 --> 00:17:18,880
ping request to the entire subnet. Additionally, on local networks and

202
00:17:18,880 --> 00:17:25,200
map can use ARP scan to identify active devices, as ARP works even when

203
00:17:25,200 --> 00:17:30,480
ICMP is blocked by firewalls. It's like a public available information using the

204
00:17:30,480 --> 00:17:35,600
address resolution protocol. The -sn switch tells nmap not to

205
00:17:35,600 --> 00:17:40,960
perform any import scanning, it only checks for the presence of live hosts.

206
00:17:40,960 --> 00:17:46,000
If the device responds Nmap flags it as active, providing the administrator

207
00:17:46,000 --> 00:17:49,840
with a list of devices that are online within the subnet.

208
00:17:49,840 --> 00:17:56,880
Next, the administrator zooms in on a specific device, for example .1.1, and checks for common

209
00:17:56,880 --> 00:18:05,200
open ports using the command Nmap -p 22,80,443. This scan is focused on checking

210
00:18:05,200 --> 00:18:11,200
whether the target device has specific ports open, like SSH, HTTP and HTTPS.

211
00:18:12,080 --> 00:18:16,640
These are typically used for remote access and web-based services.

212
00:18:16,640 --> 00:18:24,400
The command sends SYN packets and discovers if the ports are open, closed or filtered by the firewall.

213
00:18:24,400 --> 00:18:30,320
This process is helpful for identifying potential attack vectors on a specific device.

214
00:18:30,320 --> 00:18:35,120
To gain more granular information about the services running on a specific port,

215
00:18:35,840 --> 00:18:41,760
you can use -p 8 and thus discover a specific port, or have a range from

216
00:18:41,760 --> 00:18:46,640
1 to 1,000 and check which ports of them are open actually.

217
00:18:47,360 --> 00:18:52,480
The -sV will remind that this is about the version and will provide the version of

218
00:18:52,480 --> 00:18:59,440
the specific service that has the port open. The -sn is used to perform the ping scan

219
00:18:59,440 --> 00:19:04,320
and -p for the ports and -sV for the versions.

220
00:19:04,320 --> 00:19:12,320
So another important option is timing options that can adjust how quickly Nmap performs scans,

221
00:19:12,320 --> 00:19:17,680
with slower scans being less likely to trigger alerts from the intrusion detection systems.

222
00:19:18,640 --> 00:19:24,800
So -T has its own variables to set up the threshold of the timing,

223
00:19:24,800 --> 00:19:31,680
and also there are other options like output formats. You can extract the result of the

224
00:19:31,760 --> 00:19:38,240
Nmap on a specific file, defining -oN or -oX, let the administrator

225
00:19:38,240 --> 00:19:44,240
save scans in different formats like plain text or XML or JSON and so on.

226
00:19:44,240 --> 00:19:49,440
The NSE scripts allow for the execution of the scripts that can automate the vulnerability

227
00:19:49,440 --> 00:19:54,560
scanning, so this is very important to handle on Nmap.

228
00:19:55,920 --> 00:20:01,040
To begin with, students will initiate the process with a basic host discovery scan.

229
00:20:01,760 --> 00:20:07,120
By using the command Nmap -sn and then the network IP.

230
00:20:07,120 --> 00:20:12,480
Normally in the network IP on the host only adapt there is 56.0,

231
00:20:12,480 --> 00:20:15,680
but this can be configured otherwise if you want.

232
00:20:15,680 --> 00:20:19,920
They will identify which virtual machines VMs are currently activated on the network,

233
00:20:19,920 --> 00:20:25,520
so they will discover webgoat, dvwa or whichever vulnerable machine they have

234
00:20:26,240 --> 00:20:30,880
uploaded on their network. This step mimics the first stage of a network

235
00:20:30,880 --> 00:20:35,440
assessment where security professionals establish which hosts are online

236
00:20:35,440 --> 00:20:40,480
and ready for further examination. Once they have identified live hosts,

237
00:20:40,480 --> 00:20:45,360
the next task will be the port scanning. For instance, by executing the Nmap

238
00:20:45,360 --> 00:20:48,880
scanning -p and then they define the range of the port

239
00:20:48,880 --> 00:20:53,840
numbers and the IP address of the specific VM, the students will be able

240
00:20:53,840 --> 00:21:00,320
to check the common services such as FTP, SSH, HTTP and so on.

241
00:21:00,400 --> 00:21:04,160
These are typical ports of interest in the core security scan.

242
00:21:04,160 --> 00:21:09,600
Finally, students will delve into service integration with a command like -sV

243
00:21:09,600 --> 00:21:14,800
to find the specific versions of the vulnerable service.

244
00:21:14,800 --> 00:21:19,120
Through this lab students will also explore several advanced Nmap options

245
00:21:19,120 --> 00:21:23,120
and to customize their scans they will use -v, -oN,

246
00:21:23,120 --> 00:21:29,120
-oX for extracting to XML and they can use timing options like

247
00:21:29,120 --> 00:21:34,640
T3 in order to adjust the scan's timing, balancing speed with stealth,

248
00:21:34,640 --> 00:21:40,080
which is important in real-world scenarios where avoiding detection is often a priority.

249
00:21:40,080 --> 00:21:45,520
It is crucial that scans are conducted only on sandbox or permission-granted systems,

250
00:21:45,520 --> 00:21:51,200
controlled environments such as NAT network and virtualization tools like virtual box

251
00:21:51,200 --> 00:21:58,640
will provide this opportunity. Otherwise, the students can use also scanme.nmap.org

252
00:21:58,640 --> 00:22:05,440
which is a website offered by Nmap in order to do test scans without any legal issues.

253
00:22:05,440 --> 00:22:11,120
By working with the control settings, students can test and tweak their scanning techniques

254
00:22:11,120 --> 00:22:15,840
without worrying about violating policies or causing any disruptions.

255
00:22:15,840 --> 00:22:19,200
The results of the scans should be documented carefully and the students

256
00:22:19,200 --> 00:22:24,080
should analyze the data critically. They will be asked to interpret

257
00:22:24,080 --> 00:22:27,680
the significance of each port and the associated service.

258
00:22:27,680 --> 00:22:33,600
For example, an open SSH port could indicate a potential vector for remote login attacks

259
00:22:33,600 --> 00:22:38,720
if weak passwords are in use using brute force attacks, while an open HTTP port

260
00:22:38,720 --> 00:22:44,240
could expose a vulnerable web application exploitation. Encouraging students to think

261
00:22:44,240 --> 00:22:50,560
about the security implications of each scan will result, will help them develop not only

262
00:22:50,560 --> 00:22:56,160
their technical proficiency but also their analytical thinking which is essential

263
00:22:56,160 --> 00:23:01,760
for effective cyber security practices in real world scenarios.