In this Lab you are going investigate a tool that will allow you to discover information about a computer that can lead to hardening it to improve its security or compromising it as part of an attack. Both attackers and security people use this tool. Its called: Nmap. Nmap performs scans of a single computer or a whole range of computers. Specifically, Nmap looks for open network ports where servers such as web servers, mail servers and other types of services can be found. If these servers have known vulnerabilities, then attackers can use known exploits to compromise these computers and get inside to do more damage or steal resources.
Read the tutorials about Nmap and answer the questions. If you are unsure about some of the network protocols or terms, I refer you to the links at the bottom of the lab.
Tasks and Questions
Task 1. Read the Tutorials below on Nnmap
The following nmap tutorial is a general purpose overview of the tool.
Nmap Tutorial from Infosecinstitute
Here is another more visual tutorial: Nmap in more details
Tutorial from the Nmap Site - Highly Recommended !!!
Nmap Site Tutorial - Andrew Bennieston, Author
Question 1. What is the purpose of a port scanner?
Question 2. Provide an example of an nmap scan that scans an entire network.
Question 3. Can you use nmap to find out the Operating System of a host? If yes, provide an example command.
Question 4. What is the purpose of doing an nmap stealthy scan? Provide an example of an nmap stealth scan.
Task 2. Practice Doing Scans with Nmap.
There is a test machine provided by the nmap site that allows scans. You will first run nmap against this test machine. Then, try nmap against the computer you are using, and finally, against the network in the lab.
First, start the lab machine in Debian Linux, log on and start Virtual Box, then start the Kali Linux VM.
To begin, open a terminal window so you can type commands. Start a scan against the scanme.nmap.org computer.
type: nmap scanme.nmap.org.
This is the simplest scan. Wait for it to complete. When it is done review the results and complete Question 5.
Question 5. The basic scan is the simplest nmap scan, yet it contains a lot of useful information.
5a. How many open ports were found? List the ports found and services at these ports.
5b. How many ports were scanned? What type of ports were reported?
5c. What does it mean for a port to be filtered, does that mean it is open, closed, or something else?
Run the scan against the machine you are using now.
type: nmap 127.0.0.1.
When it is done review the results complete Questions 6 and 7.
Question 6. The basic scan against your computer may or may not have showed anything. List the results.
Question 7. Does it appear that any ports found represent a security vulnerability? (May have to google the services found)
Another simple scan is the ping scan. This simply checks if the target(s) in online.
type: nmap -sP 10.102.134.235-255
Question 8. How many hosts did the ping scan discover? Were there gaps in the host numbers?
Obtaining more information
The above scans produced a fair amount of interesting and useful information. What is missing is more valuable, especially to penetration testers and black hats. What is running on those open ports? A service on port 443 doesn't have to be https. It may be interesting to know what is running above port 1000. Is it possible to find out what version of a specific service is running? Is that important?
Operating System Identification
nmap can also try and find out what operating system the target is running. It is not 100% accurate but can be a good guide. The argument is -O.This can also take a while so we will run it without version detection. To make sure nmap is not sleeping on the job, we can make it give more information, -v. You can use this multiple times to increase the verbosity. -PN is telling nmap not to ping the host.