- Information
- AI Chat
4.5.2.10 Lab - Exploring Nmap
cyber security (INTE2557)
Royal Melbourne Institute of Technology
Preview text
Topology
Objectives
Part 1: Exploring Nmap
Part 2: Scanning for Open Ports
Background / Scenario
Port scanning is usually part of a reconnaissance attack. There are a variety of port scanning methods that can be used. We will explore how to use the Nmap utility. Nmap is a powerful network utility that is used for network discovery and security auditing.
Required Resources
CyberOps Workstation Virtual Machine Internet access
Part 1: Exploring Nmap
In this part, you will use manual pages (or man pages for short) to learn more about Nmap.
The man [ program |utility | function ] command displays the manual pages associated with the arguments. The manual pages are the reference manuals found on Unix and Linux OSs. These pages can include these sections: Name, Synopsis, Descriptions, Examples, and See Also.
a. Start CyberOps Workstation VM.
b. Open a terminal.
c. At the terminal prompt, enter man nmap.
[analyst@secOps ~]$ man nmap
What is Nmap?
__Nmap is a network connection end scanning software, which is used to scan the open network connection end of computers on the Internet
What is nmap used for?
__The first is to detect whether a group of hosts are online; the second is to scan the host port to sniff the network services provided; and also to infer the operating system used by the host
While in the man page, you can use the up and down arrow keys to scroll through the pages. You can also press the space bar to forward one page at a time.
To search for a specific term or phrase use enter a forward slash (/) or question mark (?) followed by the term or phrase. The forward slash searches forward through the document, and the question mark searches backward through the document. The key n moves to the next match.
Use the search function to answer the following questions.
What does the switch -A do?
_to enable Nmap scan, version detection, traceroute
What does the switch -T4 do?
__T4 for faster execution
e. Scroll through the page to learn more about nmap. Type q when finished.
Part 2: Scanning for Open Ports
In this part, you will use the switches from the example in the Nmap man pages to scan your localhost, your local network, and a remote server at scanme.nmap.
Step 1: Scan your localhost.
a. If necessary, open a terminal on the VM. At the prompt, enter nmap -A -T4 localhost. Depending on your local network and devices, the scan will take anywhere from a few seconds to a few minutes. [analyst@secOps Desktop]$ nmap -A -T4 localhost
Starting Nmap 7 ( nmap ) at 2017-05-01 17:20 EDT Nmap scan report for localhost (127.0.0) Host is up (0 latency). Other addresses for localhost (not scanned): :: rDNS record for 127.0.0: localhost Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |-rw-r--r-- 1 0 0 0 Apr 19 15:23 ftp_test 22/tcp open ssh OpenSSH 7 (protocol 2) | ssh-hostkey: | 2048 f1:61:50:02:94:ba:f2:bd:be:93:cf:14:58:36:b8:32 (RSA) | 256 94:33:25:a5:0e:02:d7:bc:c8:b0:90:8a:a2:16:59:e5 (ECDSA) 23/tcp open telnet Openwall GNU/*/Linux telnetd 80/tcp open http nginx 1. |_http-server-header: nginx/1. |_http-title: Welcome to nginx! Service Info: Host: Welcome; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at nmap/submit/. Nmap done: 1 IP address (1 host up) scanned in 18 seconds
b. Review the results and answer the following questions.
Which ports and services are opened?
__996. desktop ______________________________________________________________
For each of the open ports, record the software that is providing the services.
Anonymous FTP
What is the operating system?
Linux___________________________________________________________________________
Step 2: Scan your network.
Warning: Before using Nmap on any network, please gain the permission of the network owners before proceeding.
a. At the terminal command prompt, enter ifconfig to determine the IP address and subnet mask for this host. For this example, the IP address for this VM is 192.168.1 and the subnet mask is 255.255.255. [analyst@secOps ~]$ ifconfig enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1 netmask 255.255.255 broadcast 192.168. inet6 fe80::997f:9b16:5aae:1868 prefixlen 64 scopeid 0x20<link> ether 08:00:27:c9:fa:a1 txqueuelen 1000 (Ethernet) RX packets 34769 bytes 5025067 (4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10291 bytes 843604 (823 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device interrupt 19 base 0xd
Record the IP address and subnet mask for your VM. Which network does your VM belong to?
__192.168.1,255.255.255 ethernet. _____________________________________________________________________
b. To locate other hosts on this LAN, enter nmap -A -T4 network address/prefix. The last octet of the IP address should be replaced with a zero. For example, in the IP address 192.168.1, the .19 is the last octet. Therefore, the network address is 192.168.1. The /24 is called the prefix and is a shorthand for the netmask 255.255.255. If your VM has a different netmask, search the Internet for a “CIDR conversion table” to find your prefix. For example, 255.255.0 would be /16. The network address 192.168.1/24 is used in this example
Note : This operation can take some time, especially if you have many devices attached to the network. In one test environment, the scan took about 4 minutes. [analyst@secOps ~]$ nmap -A -T4 192.168.1/
Starting Nmap 7 ( nmap ) at 2017-05-01 17:13 EDT Nmap scan report for 192.168. Host is up (0 latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Bftpd 1. 53/tcp open domain dnsmasq 2-OpenDNS- | dns-nsid: | id: |_ bind: dnsmasq-2-OpenDNS- 80/tcp open tcpwrapped | http-auth: | HTTP/1 401 Unauthorized\x0D
Other addresses for scanme.nmap (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f Not shown: 992 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2) | ssh-hostkey: | 1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA) | 2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA) |_ 256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA) 25/tcp filtered smtp 80/tcp open http Apache httpd 2.4 ((Ubuntu)) |_http-server-header: Apache/2.4 (Ubuntu) |_http-title: Go ahead and ScanMe! 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 9929/tcp open nping-echo Nping echo 31337/tcp open tcpwrapped Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at nmap/submit/. Nmap done: 1 IP address (1 host up) scanned in 23 seconds
c. Review the results and answer the following questions.
Which ports and services are opened?
___25, 9929, 31337. nping-echo, tcpwrapped, smtp
Which ports and services are filtered?
80, 135, 139, 445. msrpc, netbios-ssn, microsoft-ds, http.
What is the IP address of the server?
192.168.1____________________________________________________________
What is the operating system?
Linux_______________________________________________________________________
Reflection
Nmap is a powerful tool for network exploration and management. How can Nmap help with network security? How can Nmap be used by a threat actor as a nefarious tool?
_It can scan the host name, domain name, network and IP address, scan the port opened by the target host, the system information used by the other party, and banner information. It also supports scanning based on TCP / UDP and ARP, and supports script scanning. Others may invade other people's computers through the nmap port scanning vulnerability.
4.5.2.10 Lab - Exploring Nmap
Course: cyber security (INTE2557)
University: Royal Melbourne Institute of Technology
- Discover more from:
