Chris, thanks so much. Your teaching is amazing. I've been an electrical engineer for just under 45 years, and I'm getting back into networking and wireshark. Recently I've been investigating why a particular website is slow and inconsistent when accessed from my Virtualbox/Ubuntu VM, but perfect when accessed from my W10. Your "keep your eye on the ball" advice helped me to filter out all the irrelevant conversations when starting a blank Firefox (wow, that's a lot of junk, and 10 second keep alives), so now I'm seeing just the relevant conversation directly with the website. Still trying to figure why I'm sending RST's, but I think I'm now reasonably confident that my VM buffer/window isn't the limiting factor. Anyway, thanks again. Oh, and learning to enable "Name Resolution" is heaven for me :)
Wow thanks for the comment! Great job on the pcap with that website. Let me know if you want me to take a second look at it for you. I'll see you around the channel!
@@ChrisGreer Chris, thanks, but just as I received your reply I made the stunning breakthrough that the website isn't playing nicely with Firefox, but Chrome works great. The website owner thought maybe my VM was the culprit, but I'll let him know he's got some work to do :) Thanks again.
hi chris great to see u again , i saw your video with Mr Bombal such a good one thx for all contribution , by tha way chris u remind me one things u re like a radiologiste in medecin he see the real stuff of the bodies, like u , u see the real stuff of the packets thinks a keep given
@@ChrisGreer might consider adding the "Join" option for those of us who would like to support your work. For now I'ma grab a coffee mug from your store! Keep it coming
Awesome! These scans has been added as filter-buttons to the „Security“ profile we recently created in another video on this channel. Now, when anybody knocks on my servers door trying to be stealthy, he will get caught with a single click, muahahahar! ;)
I would love more videos on scanning tools and their different options. Sometimes my scan just come back with nothing despite me doing "everything correctly", learning why they fail would be cool
Great vidéo ! I always wondered what could be the point of steath scan since most firewalls would log even just a syn packet, but I did not know that some system would log a connection only after the 3-way handshake.
Very awesome and pretty informative. So, is it a good spot to block syn packets with 1024 win and no scaling factor on a web server? Can i block something suitable in this way?
@@ChrisGreer I think both cases have no significant difference. I think if client just want to find a possibility to connect without real interaction it will not bring any "profit" to server. But "not seen too many" means "some of such exists"?
Hey Alejandro! Qué onda amigo? Ok that is a great question. So basically since the server doesn't hear back, it will think that the SYN/ACK was lost and it will retransmit it a few times. To save the bother, we reset to let the endpoint know that we are abandoning the connection.
@@ChrisGreer Jajaja hey!! you speak spanish too? ok ok, I got it now! I asked you about that 'cause you know, if the 3way handshake not conlude i think the host it still spend resoures. Is it? Sorry by my poor english, iworkin on it... hahaha!!
No problem, entiendo. Si! Yo viví en centro america durante unos años. Siempre estoy tratando practicar. Es fácil olvidar, como los "headers" sobre TCP! 😄
@@ChrisGreer Hu genial profe! que alegría! jaja... I have a thousand questions to make! if you don't mind, can i email you? i want find some issue that i think i have on my office network. without obligation please!
IDK what to say, thanks s lot for these videos they really helps ... may I ask, Can I put a rule in IDS that catch Syn-Scan based on lack of TCP options and small size of "window"? also, can you please explain the best practice to hide yourself in a network as an Ethical Hacker (Pentester). thanks a gain
Sure you could - that would be a way to catch this type of half-open, or "stealth" scan. Many IDS's can catch these types of scans these days, so you probably can find a rule or signature that can isolate it pretty easily. I'm still learning pentesting myself, so I'm not an expert by any means! But as a protocol analyst, we are looking for things that look "weird". So hiding traffic in normal looking flows is what I would do to try to stay under the radar. I'd check out someone like John Hammond for tips on how to best fly low!
I think these days, either way you run the chance of setting off alerts. That is why some in the community feel that "Stealth" isn't the best name for the half open scan. Who knows, maybe that will get changed....
Hi Justin, thanks for commenting! In many if not most of my videos I choose to share the pcap because it is really hard to reproduce. In this nmap one I chose not to since it is a much simpler pcap to generate.
Chris please make nmap series in depth
Upvoted!
Thanks for the suggestion! I will keep up the content. I appreciate the feedback - helps me know what content you guys are interested in!
@@bearsnake3394 Nice job on the -s question. Nice to meet you and thanks for the comment!
ECN and CWR please!
You're awesome.
Chris, thanks so much. Your teaching is amazing. I've been an electrical engineer for just under 45 years, and I'm getting back into networking and wireshark. Recently I've been investigating why a particular website is slow and inconsistent when accessed from my Virtualbox/Ubuntu VM, but perfect when accessed from my W10. Your "keep your eye on the ball" advice helped me to filter out all the irrelevant conversations when starting a blank Firefox (wow, that's a lot of junk, and 10 second keep alives), so now I'm seeing just the relevant conversation directly with the website. Still trying to figure why I'm sending RST's, but I think I'm now reasonably confident that my VM buffer/window isn't the limiting factor. Anyway, thanks again. Oh, and learning to enable "Name Resolution" is heaven for me :)
Wow thanks for the comment! Great job on the pcap with that website. Let me know if you want me to take a second look at it for you. I'll see you around the channel!
@@ChrisGreer Chris, thanks, but just as I received your reply I made the stunning breakthrough that the website isn't playing nicely with Firefox, but Chrome works great. The website owner thought maybe my VM was the culprit, but I'll let him know he's got some work to do :) Thanks again.
Going to watch multiple more tines to prep for Net+. Thx!
Nice! Go get it!
Great video, Chris. Really liked the explanation between the two nmap scan types. Looking forward to your next nmap video.
Glad you enjoyed it!
Great stuff Chris, really appreciate your workflow and transfer of knowledge in your topics.
Thanks for the comment John!
We want more nmap tutorials.
And thank you for sharing!
Thanks for the comment!
You are awesome. Best explanation.
Joining nmap and Wireshark is sick.
Thanks for watching and for the comment!
Hi Chris, i love your style of explanation things with wireshark. Hope to see more
Videos.
Thanks! Be sure to check out my new Nmap course - www.bit.ly/udemynmap
Great video Chris! Can't wait to see more of these
Thanks Ian. More on the way!
Chris your explanation amazing...
Please upload videos on nmap, bettercap, ettercap and also on others tools..
Love from pakistan..
I will! Thanks for the comment.
hi chris great to see u again , i saw your video with Mr Bombal such a good one thx for all contribution , by tha way chris u remind me one things u re like a radiologiste in medecin he see the real stuff of the bodies,
like u , u see the real stuff of the packets thinks a keep given
Thanks for watching!
Love this series 👍🏾 this video was great
Love the nmap in depth idea!
I’ll keep them coming!
@@ChrisGreer might consider adding the "Join" option for those of us who would like to support your work. For now I'ma grab a coffee mug from your store! Keep it coming
Thanks Chris for sharing this video with us. I am actually studying for the Security+ right now (this moment) and need to learn this.
Awesome! Good for you - yes definitely try and remember the nmap stuff. I'll do my best to help. :-)
thanks for the video chris. awesome stuff as always
you have a great talent for teaching
Thanks for the comment!
Thank you for this Chris. I've been waiting for it. If you know you know🔥😋
More on the way Faran!
@@ChrisGreer waiting for the NSE scripts video
Awesome! These scans has been added as filter-buttons to the „Security“ profile we recently created in another video on this channel. Now, when anybody knocks on my servers door trying to be stealthy, he will get caught with a single click, muahahahar! ;)
Nice!! 👏👏
I would love more videos on scanning tools and their different options. Sometimes my scan just come back with nothing despite me doing "everything correctly", learning why they fail would be cool
Great vidéo ! I always wondered what could be the point of steath scan since most firewalls would log even just a syn packet, but I did not know that some system would log a connection only after the 3-way handshake.
Great Explanation. Thank you.
Glad it was helpful!
Very awesome and pretty informative. So, is it a good spot to block syn packets with 1024 win and no scaling factor on a web server? Can i block something suitable in this way?
If there are no options? Or only the MSS? I would say so - it’s a good signature for nmap and I have not seen too many real TCP stacks do that.
@@ChrisGreer I think both cases have no significant difference. I think if client just want to find a possibility to connect without real interaction it will not bring any "profit" to server. But "not seen too many" means "some of such exists"?
Hi Chris!! Awesome video you are the man! 🙌😉
I have a question, if nmap dosen't send rst, what would it happen?
Regards from Argentina 😁🤙🤙
Hey Alejandro! Qué onda amigo? Ok that is a great question. So basically since the server doesn't hear back, it will think that the SYN/ACK was lost and it will retransmit it a few times. To save the bother, we reset to let the endpoint know that we are abandoning the connection.
@@ChrisGreer Jajaja hey!! you speak spanish too? ok ok, I got it now!
I asked you about that 'cause you know, if the 3way handshake not conlude i think the host it still spend resoures. Is it?
Sorry by my poor english, iworkin on it... hahaha!!
No problem, entiendo. Si! Yo viví en centro america durante unos años. Siempre estoy tratando practicar. Es fácil olvidar, como los "headers" sobre TCP! 😄
@@ChrisGreer Hu genial profe! que alegría! jaja...
I have a thousand questions to make! if you don't mind, can i email you? i want find some issue that i think i have on my office network.
without obligation please!
@@alejandroparrello6493 sure! packetpioneer@gmail.com
Very nice content ! Great work, thanks !!
Thank you!
Perfect as always
Thank you so much 😀
Thanks. Loves your nmap videos :)
Glad you like them!
Great video, thanks a lot sharing with us.
Glad you enjoyed it
that was a nice video chris
Thank you!
IDK what to say, thanks s lot for these videos they really helps ... may I ask, Can I put a rule in IDS that catch Syn-Scan based on lack of TCP options and small size of "window"? also, can you please explain the best practice to hide yourself in a network as an Ethical Hacker (Pentester). thanks a gain
Sure you could - that would be a way to catch this type of half-open, or "stealth" scan. Many IDS's can catch these types of scans these days, so you probably can find a rule or signature that can isolate it pretty easily. I'm still learning pentesting myself, so I'm not an expert by any means! But as a protocol analyst, we are looking for things that look "weird". So hiding traffic in normal looking flows is what I would do to try to stay under the radar. I'd check out someone like John Hammond for tips on how to best fly low!
@@ChrisGreer that’s would be great when we see you with John talking about Networking Security and Stealthy
You are the best!!
Very clear explanation. Though - why would one choose full tcp scan over the stealth one? I see no upsides. Thanks
If you are doing pen testing from within a company and don't need to worry about setting off alerts. You want to be as thorough as possible
@@justindittburner216 thanks
I think these days, either way you run the chance of setting off alerts. That is why some in the community feel that "Stealth" isn't the best name for the half open scan. Who knows, maybe that will get changed....
legit useful info here. keep it up
Thanks, will do!
Great video. Thanks for sharing.
Thanks for the comment!
Many thanks
Tanks Chris
You are welcome!
I'd really appreciate if you uploaded the Wireshark captures to follow along with
Hi Justin, thanks for commenting! In many if not most of my videos I choose to share the pcap because it is really hard to reproduce. In this nmap one I chose not to since it is a much simpler pcap to generate.
Thanks Chris!!
You are welcome!
A+. Thank you
So the -sT is the default if you don’t enter any -s
Superb
Thank you!
How about steath scan vs tcp sync ping
nice in future need some real packet explanation
One the way!
NIce THX! :-)
Thanks for the comment!
Very clear explanation, thank you!
Thanks for the comment!