Lab 6 Part 1 - Port Scanning with nmap
References
Introduction
This exercise is an introduction to one of the most well known port scanning tools, nmap. Students discover and scan hosts on the closed network within the RMC CNSl in room S4112. The results of the host discovery section of this lab are used in the next exercise on vulnerability assessment.
Part 1 - Set up
Set up your lab environment according to the specifications below, and annotate Figure 1 accordingly.
- Open the Linux VM.
- Configure the Linux VM for connection to the Common Network as shown in Figure 1.
- The IP of your Linux VM is 10.27.x.10.
- Be sure to complete the missing information in your Figure.
- Test your network configuration by pinging the Server VM.
Figure 1 - Exercise Network
Part 2 - Introduction to nmap
- Open a Terminal.
- nmap (network mapper) is a console-based utility for network exploration and conducting security audits, essentially a port scanner. Observe the command options available for nmap
man nmap- (#1) What do the following switches do?
- -sn
- -PO
- -PS
- -PU
- -sO
- -sV
- -O
Part 3 - Using nmap to conduct a reconnaissance of your network
- Leave the nmap man page open for reference.
- Open a second terminal window.
- Use a broad ping scan to determine the hosts that are "up" on a portion of your lab network.
- Specifically enter the following scans:
nmap -n -sn 10.27.x.0/24- (#2) Record the results.
nmap -n -sn 10.27.0.0/24- (#3) Record the results.
- (#4) Why is the
-noption used? What happens if you rerun this command without the-noption? (Try it). - (#5)What does the
/24represent? - Use the same nmap command to start a ping scan on the entire
/16Common Network. - (#6) Record at least one of your colleagues machines before
terminating this scan,
Ctrl-C. - (#7) How many hosts would this scan look for? Justify your answer.
- Conduct an IP protocol ping (switch
-PO/-PS/-PU) on the Common Network hosts. Note that for this scan "nmap needs to read raw responses off the wire"; you must usesudoto have sufficient privilege. - (#8) How many TCP ports are open on each?
- (#9) Are there any UDP ports open on any machine?
- Conduct an IP protocol ping on yourself.
- (#10) How many ports are open?
- Open a third terminal window.
- Conduct an IP protocol scan (switch
-sO) on host10.27.x.1; note you have to usesudoto have sufficient privilege for this scan. Be paitent, this will take a while. - (#11) Are the results different than that attained with the IP protocol ping? Explain.
- Return to the second terminal window. nmap is often
capable of determining the operating system of a scanned host.
{Hint: read the OS Detection section of the man
pages and again note that you will need to use
sudoto have sufficient privilege.} - (#12) What operating system does nmap think your Server VM is running?
- (#13) What is its MAC address?
- (#14) How far away is it?
- (#15) What operating system does nmap think your Linux VM is running?
- nmap is also often able to determine the version number of various services running as software applications Hint: read the Service/Version Detection section of the man pages.
- Investigate how to restrict the application scans to specific sets of port numbers, otherwise your scans may take a long time to complete.
- (#16) What version of ssh is running on your Server VM?
- (#17) What web server is running on your Server VM?
- (#18) What, if any, webserver is running on the Printer? Does this make sense?
Shutting Down
When you are finished with the exercise, do not shut down your virtual machines; you will use the same network setup in the next exercise.Conclusion
In this exercise you have learned the usefulness of one of the most common utilities for exploring a network using port scans. Specifically you have used the network port scanning tool nmap. While you explored this tool using the Linux operating system, the same tool is available for Windows operating systems. Note that nmap also has a GUI front end named zenmap.
Part 2 of the lab includes vulnerability scanning.