#### LAB 3: Exploring and Auditing a Network Using Nmap Nmap is a free, open source utility for network exploration and security auditing. ## Lab Scenario An administrator and an attacker can use the same tools to fix or exploit a system. If an attacker gets to know all the information about vulnerable computers, they will immediately act to compromise those systems using reconnaissance techniques. Therefore, as an administrator it is very important for you to patch those systems after you have determined all the vulnerabilities in a network, before the attacker audits the network to gain vulnerable information. Also, as an ethical hacker and network administrator for your company, your job is to carry out daily security tasks, such as network inventory, service upgrade schedules, and the monitoring of host or service uptime. So, you will be guided in this lab to use Nmap to explore and audit a network. ## Lab Objectives #In this lab, you need to: * Scan TCP and UDP ports * Analyze host details and their topology * Record and save scan reports * Compare saved results for suspicious ports ## Lab Duration 30 Minutes ## Overview of Network Scanning Network addresses are scanned to determine: * What services application names and versions those hosts offer * What operating systems (and OS versions) diey run * The type of packet filters/firewalls that are in use and dozens of their characteristics ## Lab Environment On your lab machine hostX.ws.nsrc.org, execute: sudo apt-get install nmap ## Lab Tasks # Scan a single system. Pick another groups machine nmap hostX.ws.nsrc.org # Scan an entire subnet nmap 10.10.0.0/24 # Suppose you have a file containing IP addresses. Create file target.txt and insert the following hostX.ws.nsrc.org hostY.ws.nsrc.org hostZ.ws.nsrc.org *** Replace XYZ with group numbers You may now execute nmap -iL target.txt # To scan a specific port only nmap -p80,22 hostX.ws.nsrc.org # There are many scanning techniques # TCP SYN SCAN (-sS) Also known as a half open scan. The handshake process isn't completed nmap -sS hostX.ws.nsrc.org # TCP connect() scan (-sT) This is the default scanning technique used, if and only if the SYN scan is not an option nmap -sT hostX.ws.nsrc.org # UDP Scan (-sU) As the name suggests, this technique is used to find open UDP port of the target machine. It does not require any SYN packet to be sent because it is targeting UDP ports. nmap -sU hostX.ws.nsrc.org # FIN Scan (-sF) Sometimes a normal TCP SYN scan is not the best solution because of the firewall. IDS and IPS scans might be deployed on the target machine but a firewall will usually block the SYN packets. A FIN scan sends the packet only set with a FIN flag so it is not required to complete the TCP handshaking nmap -sF hostX.ws.nsrc.org # Ping Scan (-sP) Used to check if a host is alive nmap -sP hostX.ws.nsrc.org # Version Detection (-sV) Version detection is the right technique that is used tofind out the software version is running on the target system and on the respective ports. nmap -sV hostX.ws.nsrc.org # Idle Scan (-sI) Idle scan is one of my favorite techniques, and it is an advance scan that provides complete anonymity while scanning. In idle scan, Nmap doesn’t send the packets from your real IP address—instead of generating the packets from the attacker machine, Nmap uses another host from the target network to send the packets. Let’s consider an example to understand the concept of idle scan: nmap -sI hostX.ws.nsrc.org hostY.ws.nsrc.org The idle scan technique (as mentioned above) is used to discover the open ports on 192.168.1.1 while it uses the zombie_host (192.168.1.6) to communicate with the target host. So this is an ideal technique to scan a target computer anonymously. There are many other scanning techniques are available like FTP bounce, fragmentation scan, IP protocol scan. and so on; but we have discussed the most important scanning techniques (although all of the scanning techniques can important depending on the situation you are dealing with). # OS Detection One of the most important feature that Nmap has is the ability to detect remote operating systems and software. It is very helpful during a penetration test to know about the operating system and the software used by the remote computer because you can easily predict the known vulnerabilities from this information. nmap -O hostX.ws.nsrc.org ------------------ PART 2 ---------------------- ## Nmap Scripting Engine The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Basically these scripts are written in Lua programming language. Generally Nmap’s script engine does lots of things, some of them are below: * Network discovery * Vulnerability Detection * Backdoor detection * Vulnerability exploitation # Tasks > Default script scan nmap -sC -p22,80 -T4 hostX.ws.nsrc.org Port Status: After scanning, you may see some results with a port status like filtered, open, closed, etc. Let me explain this. * Open: This indicates that an application is listening for connections on this port. * Closed: This indicates that the probes were received but there is no application listening on this port. * Filtered: This indicates that the probes were not received and the state could not be established. It also indicates that the probes are being dropped by some kind of filtering. * Unfiltered: This indicates that the probes were received but a state could not be established. * Open/Filtered: This indicates that the port was filtered or open but Nmap couldn’t establish the state. * Closed/Filtered: This indicates that the port was filtered or closed but Nmap couldn’t establish the state.