Introduction

Scanning and enumeration are fundamental techniques for network reconnaissance. Scanning involves probing a network to discover active hosts, open ports, and services running on those ports. Enumeration dives deeper into identifying specific details like operating systems and service versions.

Tool Overview: Nmap

Nmap, short for "Network Mapper," is a versatile tool used for network exploration and security auditing. Originally designed for large-scale network mapping, it has evolved to include extensive functionality beyond its initial scope.

Phases of an Nmap Scan

In this lab, you'll focus on four key phases of an Nmap scan:

  1. Host Discovery (Ping scanning): Identifying active hosts on the network.
  2. Port Scanning: Identifying open ports on discovered hosts.
  3. Operating System Detection: Determining the operating systems of the identified hosts.
  4. Service/Service Version Detection: Identifying the services and their versions running on open ports.

Understanding Ports

Before diving into Nmap, it's crucial to understand ports. Ports are analogous to apartment unit numbers in a building (IP address). They identify specific services or applications running on a host. TCP ports are particularly common on the Internet and require a 3-way handshake for connection establishment.

Getting Started with Nmap

Executing Your First Scan:

  1. Open a Terminal window in the lab environment.
  2. Type nmap 192.168.0.1 to perform a TCP connect scan (default without root privileges).
  3. This scan completes the full 3-way handshake to establish connections with open ports.

Advanced Scan with Root Privileges:

  1. Type sudo nmap 192.168.0.1 to perform a SYN stealth scan (half-open scan).
  2. This scan initiates but does not complete the TCP handshake, providing faster results.

Understanding Scan Results:

  1. Open ports are categorized into three states: Open, Closed, and Filtered.
  2. Open ports have active services, closed ports have no active services, and filtered ports are protected by a firewall.

Nmap Options Overview:

  • -Pn: Disables host discovery and treats all hosts as online.
  • -sS: SYN stealth scan, faster but more likely to be detected by modern firewalls.
  • -O: Detects the operating system of the target host.
  • -sV: Detects services and their versions running on open ports.
  • -T1-5: Adjusts scan speed with timing templates from Paranoid (slowest) to Insane (fastest).

Lab Questions and Answers: 1.1 Core Concepts

True or False: Scanning refers to the use of various tools and techniques to survey a network for active hosts, open ports, and the types of services running on those ports.

A. True

B. False

Answer: A

True or False: Enumeration refers to passively gathering detailed information using publicly available resources.

A. True

B. False

Answer: B

Which of the following is not an application of Nmap?

A. Inventorying hosts on a network.

B. Extracting files from network traffic.

C. Mapping attack surface area.

D. Detecting firewalls and vulnerable hosts.

Answer: B

What Nmap option allows you to enumerate service and service versions on a host?

Answer: -sV

Lab Questions and Answers: 1.2 Guided Exercise

In the Node (h1) window, type sudo nmap -sn 192.168.0.0/24 and press Enter to perform host discovery, skipping the port scanning phase (-sn). As you can see 8 hosts up.

How many hosts are alive on the 192.168.0.0/24 network, including your own?
Answer: 8

In the Node (h1) window, type sudo nmap -sV 192.168.0.20 -p 21 and press Enter to detect the software and version running on port 21. In the version column we can see the ftp version.
What is the service version running on port 21 on the 192.168.0.20 host?
Answer: 3.0.5

In the Node (h1) window, type sudo nmap -O –osscan-guess 192.168.0.20 and press Enter to force Nmap to guess more aggressively.
3. What is nmap’s best guess as to the OS running on 192.168.0.20? (name and version, no spaces). Note: the OS name will not be a real operating system, just an artifact for this lab.
Answer: CLabOS0.1

In the Node (h1) window, type nmap -Pn 192.168.0.2 -T1 -p 22,25,1000,2099,8080,8888 to slow (Polite) scan the target webserver.

Despite a handful of ports, this scan still may take around 1-2 minutes. Press Enter to see the progress.

3 of these ports are open, did you discover which? If so, well done! You’ve fooled a shoddy packet filtering system. Pat yourself on the back.

4. Add up the open ports you discovered on 192.168.0.2 (e.g., if ports 1, 2, and 3 are open, 1+2+3=6). What is the number?
Answer: 8127
Congratulations, you made it! Welcome to the Nmap club (and you even learned the special (TCP) handshake to get in).

Lab Questions and Answers: 1.3 Challenge Exercise

1. How many hosts does your ping scan find?
Answer: 2
2. Which host is likely to be behind a firewall?
Answer: 172.16.0.32
3. What is the IP address of the “hidden” host?
Answer: 172.16.0.16
4. What port is running on the “hidden” host?
Answer: 12345

5. What is the legitimate service running on the hidden host?
Answer: sambasmbd4.6.2

6. Which ports are open on the host behind a firewall? Add up the 3 open ports you discovered.
Answer: 548

Checkout my Cybrary profile here

Conclusion and Reflection

Through these exercises, you've practiced essential Nmap scanning and enumeration techniques. Understanding these tools and techniques is crucial for effective network reconnaissance and security auditing. Always interpret scan results critically to make informed decisions and plan next steps based on findings.