1
00:00:00,840 --> 00:00:02,610
Instructor: We mentioned fragmented packets

2
00:00:02,610 --> 00:00:05,220
and creating decoys in the previous video.

3
00:00:05,220 --> 00:00:08,160
Right now we are going to mention a few more options

4
00:00:08,160 --> 00:00:10,950
and even though they are not that important,

5
00:00:10,950 --> 00:00:12,720
it is good to know they exist

6
00:00:12,720 --> 00:00:15,150
so let's go through them real fast.

7
00:00:15,150 --> 00:00:16,800
I will not be running these options

8
00:00:16,800 --> 00:00:18,900
but you can test them out if you want.

9
00:00:18,900 --> 00:00:22,980
I will just mention them so you know what else you can use.

10
00:00:22,980 --> 00:00:26,073
The first thing we got is option dash S,

11
00:00:26,970 --> 00:00:31,710
and you run it like this, Sudo NMAP dash S,

12
00:00:31,710 --> 00:00:35,670
and this option is used to spoof your IP address.

13
00:00:35,670 --> 00:00:38,370
It will make your target think that someone else

14
00:00:38,370 --> 00:00:39,660
is scanning them.

15
00:00:39,660 --> 00:00:42,690
The problem with this is that you will not get results

16
00:00:42,690 --> 00:00:44,850
of scanned back since they will be sent

17
00:00:44,850 --> 00:00:47,940
to the IP address that you're trying to impersonate.

18
00:00:47,940 --> 00:00:49,020
So for example,

19
00:00:49,020 --> 00:00:53,940
you can be trying to impersonate 8.8.8.8

20
00:00:53,940 --> 00:00:57,480
and your target will be scanned with this IP address

21
00:00:57,480 --> 00:00:59,700
or at least it will seem that the scan

22
00:00:59,700 --> 00:01:01,740
is coming from this IP address.

23
00:01:01,740 --> 00:01:06,330
For this option to work, you must also specify dash Pn.

24
00:01:06,330 --> 00:01:08,730
And the reason why you must specify dash Pn

25
00:01:08,730 --> 00:01:11,400
is first of all, dash Pn is used to assume

26
00:01:11,400 --> 00:01:13,860
that all hosts are online.

27
00:01:13,860 --> 00:01:16,560
So it doesn't perform the ping scan to discover

28
00:01:16,560 --> 00:01:19,140
whether a host is up and running.

29
00:01:19,140 --> 00:01:22,170
Without the dash Pn, this option would not work,

30
00:01:22,170 --> 00:01:24,720
and the reason is because your target

31
00:01:24,720 --> 00:01:26,943
will be scanned with this IP address.

32
00:01:27,840 --> 00:01:30,810
And we will not be able to get the packets back

33
00:01:30,810 --> 00:01:33,870
and see whether the target is on or off.

34
00:01:33,870 --> 00:01:37,800
That's why we will just assume that the target is online

35
00:01:37,800 --> 00:01:40,800
so we can scan them with a different IP address.

36
00:01:40,800 --> 00:01:43,290
Otherwise, we will never get the result

37
00:01:43,290 --> 00:01:45,060
whether they are online.

38
00:01:45,060 --> 00:01:47,250
And sometimes with these two options

39
00:01:47,250 --> 00:01:50,370
you must also run dash E.

40
00:01:50,370 --> 00:01:53,520
E is used to specify a network interface.

41
00:01:53,520 --> 00:01:55,980
So you would simply just type, ifconfig,

42
00:01:55,980 --> 00:01:58,950
check out what network interface you're using,

43
00:01:58,950 --> 00:02:01,260
and you would specify it right here.

44
00:02:01,260 --> 00:02:04,260
In my case, that would be ETH0.

45
00:02:04,260 --> 00:02:07,770
Another cool option besides this that NMAP has

46
00:02:07,770 --> 00:02:12,363
is you can specify the source port with dash G option.

47
00:02:13,200 --> 00:02:15,810
This can sometimes help bypass a firewall.

48
00:02:15,810 --> 00:02:19,320
For example, a network administrator may set up a firewall

49
00:02:19,320 --> 00:02:22,380
and set a rule where only traffic from a certain port

50
00:02:22,380 --> 00:02:23,520
is allowed.

51
00:02:23,520 --> 00:02:26,520
And with that he's probably thinking that attackers

52
00:02:26,520 --> 00:02:29,910
won't be able to figure out from which port exactly.

53
00:02:29,910 --> 00:02:33,180
And if you perform a scan and send packets

54
00:02:33,180 --> 00:02:36,420
from the port that's allowed in the firewall rule,

55
00:02:36,420 --> 00:02:38,970
you successfully bypass firewall.

56
00:02:38,970 --> 00:02:40,830
So you would specify it with dash G

57
00:02:40,830 --> 00:02:43,470
and then random port number.

58
00:02:43,470 --> 00:02:46,530
And one last thing that we will mention that would help you

59
00:02:46,530 --> 00:02:50,970
in bypassing fireball is changing different scan types.

60
00:02:50,970 --> 00:02:53,340
We already covered some scan types

61
00:02:53,340 --> 00:02:56,910
and any of them could be useful to you sometimes.

62
00:02:56,910 --> 00:03:01,910
For example, in case you perform a SYN scan

63
00:03:02,010 --> 00:03:06,270
on a target machine and in case the SYN scan is blocked

64
00:03:06,270 --> 00:03:07,800
by the target's firewall

65
00:03:07,800 --> 00:03:10,950
which would mean that they drop all SYN requests

66
00:03:10,950 --> 00:03:13,290
that try to initiate TCP connection,

67
00:03:13,290 --> 00:03:15,960
we could try to perform a FIN scan.

68
00:03:15,960 --> 00:03:19,980
And FIN scan is labeled like this, dash sF.

69
00:03:19,980 --> 00:03:22,830
Now, you're probably confused because there are a lot

70
00:03:22,830 --> 00:03:24,390
of scans that we can do.

71
00:03:24,390 --> 00:03:27,030
And in case you don't have any networking background

72
00:03:27,030 --> 00:03:30,150
you're probably wondering what FIN scan even means.

73
00:03:30,150 --> 00:03:32,970
Well, FIN scan is just sending a FIN packet

74
00:03:32,970 --> 00:03:34,440
without any other flags.

75
00:03:34,440 --> 00:03:38,010
And these SYN flags and FIN flags can be confusing sometimes

76
00:03:38,010 --> 00:03:40,740
but with practice you will catch everything up.

77
00:03:40,740 --> 00:03:43,200
Just one advice I have is that every time

78
00:03:43,200 --> 00:03:46,620
you don't fully understand something, just Google it.

79
00:03:46,620 --> 00:03:48,660
That is how I learned as well.

80
00:03:48,660 --> 00:03:51,810
And all of these options that we covered can be combined

81
00:03:51,810 --> 00:03:55,290
with something called Timing Template.

82
00:03:55,290 --> 00:03:57,810
And to show you what Timing Template really is,

83
00:03:57,810 --> 00:04:01,020
I opened up my NMAP manual right here,

84
00:04:01,020 --> 00:04:03,900
and I scrolled to this option right here

85
00:04:03,900 --> 00:04:06,990
which says, dash D Timing Template.

86
00:04:06,990 --> 00:04:09,390
And if you also open up NMAP manual

87
00:04:09,390 --> 00:04:11,220
this will be all the way down.

88
00:04:11,220 --> 00:04:14,400
So there are about one or two minutes of scrolling

89
00:04:14,400 --> 00:04:16,290
until you reach this option.

90
00:04:16,290 --> 00:04:19,260
Here in the NMAP manual we can see the dash T

91
00:04:19,260 --> 00:04:23,940
comes with six different options or six different modes.

92
00:04:23,940 --> 00:04:27,330
And what's interesting for us regarding security evasion

93
00:04:27,330 --> 00:04:32,190
are the first two modes which are zero and one,

94
00:04:32,190 --> 00:04:35,970
also called, paranoid, and sneaky.

95
00:04:35,970 --> 00:04:40,970
These two are used for IDS evasion as it says right here.

96
00:04:41,040 --> 00:04:44,070
Now the problem with T zero and T one

97
00:04:44,070 --> 00:04:46,920
or the first two options is since they're trying

98
00:04:46,920 --> 00:04:51,360
to avoid IDS alerts they will take a lot longer to finish.

99
00:04:51,360 --> 00:04:54,810
So once you're scanning more machines or more networks

100
00:04:54,810 --> 00:04:58,320
this might not be the most reasonable approach to take

101
00:04:58,320 --> 00:05:01,620
since this scan will take a lot of time

102
00:05:01,620 --> 00:05:05,130
with specifying dash D zero or dash D one.

103
00:05:05,130 --> 00:05:07,740
And all of this including the options that we cover

104
00:05:07,740 --> 00:05:10,800
in the last video will help you in security evasion

105
00:05:10,800 --> 00:05:11,940
and spoofing.

106
00:05:11,940 --> 00:05:14,670
What I would advise you to do is also read about

107
00:05:14,670 --> 00:05:17,430
other options as well that we didn't cover

108
00:05:17,430 --> 00:05:19,770
just to see what else can you do.

109
00:05:19,770 --> 00:05:22,740
In the next video, big things are happening.

110
00:05:22,740 --> 00:05:24,840
We're going to create our first tool

111
00:05:24,840 --> 00:05:26,490
used for penetration testing.

112
00:05:26,490 --> 00:05:27,323
Let's do it.