LAB MANUAL

ON
A PRACTICAL APPROACH TO NETWORK
MONITORING

ESTABLISHMENT OF ADVANCED LABORATORY FOR CYBER SECURITY TRAINING TO

TECHNICAL TEACHERS
DEPARTMENT OF INFORMATION MANAGEMENT AND EMERGING ENGINEERING
MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY
GOVERNMENT OF INDIA
Principal Investigator: Prof. Maitreyee Dutta

Co Investigator: Prof. Shyam Sundar Pattnaik

PREPARED BY:

Prof. Maitreyee Dutta and Ms. Shweta Sharma (Technical Assistant)

i
Table of Contents

INTRODUCTION TO NMAP ...........................................2

FEATURES OF NMAP....................................................3
SCANNING ..................................................................4
HOW TO OPEN NMAP .................................................5
STEP 1: FIND LIVE MACHINES .......................................6
STEP 2: DISCOVER OPEN PORTS ...................................7
a) TCP Connect Scan [-sT] ................................................................................. 9
b) SYN Stealth Scan [-sS] ..................................................................................10
c) UDP Scan [-sU] ................................................................................................12
d) Idle Scan [-sI] ...................................................................................................13
Idle scan of an open port: .................................................................................... 13
Idle scan of a closed port: .................................................................................... 14
Idle scan of a filtered port:.................................................................................. 14
STEP 3: SCANNING BEYOND FIREWALL ...................... 16
STEP 4: IDENTIFY VULNERABILITIES............................ 20
COUNTERMEASURES ................................................. 23
REFERENCES .............................................................. 23

ii
MANUAL-1:
A Practical
Approach to
Network
Monitoring
 INTRODUCTION TO NMAP
 Nmap ("Network Mapper") is an open source tool [1] that is
freely available for network discovery and vulnerability
scanning.
 Nmap tool helps network administrators in identifying the
devices running on the systems, discovering the accessible
hosts and their services such as finding open ports and
detecting security risks.
 Nmap utilizes IP packets to determine the available hosts on
the network, the services provided by them, operating
systems on which they are running as well as other
characteristics such as packet filters/firewalls.
 Nmap sends the special crafted packets to the target hosts
and received responses are analyzed by it.
 The output from Nmap is a list of scanned targets, with
additional information such as port number and protocol,
service name, and state(open, filtered, closed, or unfiltered).
 Open state signifies that an application on the target
machine is listening for connections on that port.
 Filtered state implies that firewall is blocking the port
and restricting Nmap to check whether it is open or
closed.

2
  Closed ports could open up at any time and have no
application listening on them.

FEATURES OF NMAP
 HOST DISCOVERY: To identify hosts on a network. For
example, listening the hosts that acknowledges to crafted
TCP and/or ICMP requests or the specific port open.
 PORT SCANNING: To identify open ports on target hosts.
 VERSION DETECTION: To identify application name and
version number by examining network services on remote
devices
 OS DETECTION: To identify the operating system and
hardware characteristics of network devices.

3
 SCANNING
 Scanning is an active mode of information gathering.
 It refers to a set of procedures for identifying machines,
open ports, and services running in network.
 The purpose is to find exploitable communication channels
by discovering live machines, IP addresses, open ports, and
services.
 It also identifies operating system, system architectures,
and various vulnerabilities associated with it.

 The NMAP tool performs following steps of scanning:

 Step 1: Find live machines
 Step 2: Discover open ports
 Step 3: Scanning beyond IDS
 Step 4: Identify vulnerabilities
4
 HOW TO OPEN NMAP
Open the Terminal in Kali Linux OS and type nmap.

5
 STEP 1: FIND LIVE MACHINES
Introduction: Ping Sweep/Scan (-sP) is used to find live
machines from a range of IP addresses. It sends ICMP echo
request to multiple machines. In case of ping request, a single
packet (56 bytes data + 08 byte header) is sent. It also
determines round trip time.

Command:
nmap –sP <target>
For example:
nmap –sP 172.16.4.1-254

6
STEP 2: DISCOVER OPEN PORTS
Introduction: In computer networking, a port is a
communication endpoint. For example, Server Message Block
(SMB) is a network file sharing protocol used by Windows
machine for file and printer sharing. It operates on TCP port
number 138 and 445.
Attackers can exploit the vulnerabilities associated with SMB
protocol if these ports are open. Microsoft released a patch for
SMB v1 vulnerability but most of the users installed pirated
version of operating system which will never be updated.
Command:
nmap –p <port> -v <target>
(-v is the verbose output to display extended information)
For example:
nmap –p 1-65535 –v 172.16.4.51

7
8
 a) TCP Connect Scan [-sT]
Introduction: TCP Connect scan detects open ports by three
way handshake. It is also referred as FULL OPEN Scan.

Command:
nmap –sT <target>
For example:
nmap –sT 172.16.4.51

9
 b) SYN Stealth Scan [-sS]
Introduction: It is based upon TCP handshake. It is also referred
as HALF OPEN Scan. In this type of scan, Nmap sends SYN
packet:
 If port is open - it responds with ACK.
 If port is closed - it responds with RST.
 If port is filtered - it simply drops SYN packet.

Command:
nmap –sS –A –O <target> –p <port>
(where –A is Aggressive scan, -O is operating system)
For example:
nmap –sS –A –O 172.16.4.51 –p 445

10
11
 c) UDP Scan [-sU]
Introduction: This type of scan is used to scan UDP ports. Nmap
sends the 0 byte UDP packets. If source receives an ICMP Port
Unreachable message, then the Port is closed.
Command:
nmap –sU <target>
For example:
nmap –sU 172.16.4.51

12
 d) Idle Scan [-sI]
Introduction: An idle scan contains three steps that are
repeatedly followed for each of the port:
 Step 1: Probe the zombie's IP ID and record it.
 Step 2: Forge a SYN packet from the zombie and send it to
the desired port on the target. Depending on the port
state, the target's reaction may or may not cause the
zombie's IP ID to be incremented.
 Step 3: Probe the zombie's IP ID again. The target port
state is then determined by comparing this new IP ID with
the previous recorded step.
Idle scan of an open port:

13
 Idle scan of a closed port:

Idle scan of a filtered port:

Command:
nmap -V -Pn –sI <zombie-address> :<port no.> <victim’s
address>
(By default port no. is 80)

14
For example:
nmap –v –Pn –sI 172.16.4.79:81 172.16.4.51

15
 STEP 3: SCANNING BEYOND
FIREWALL
Introduction: Nmap provides feature to control time options–
[-T]. The timings are: Paranoid [-T0], Sneaky [-T1], Polite [-T2],
Normal [-T3], Aggressive [-T4], and Insane [-T5].
Where –T0 implies 5 minutes wait between each packet to
send that make it almost impossible for firewall to detect.
Similarly,
–T1 implies 4 minutes wait between each packet to send.
–T2 implies 3 minutes wait between each packet to send.
–T3 implies 2 minutes wait between each packet to send.
–T4 implies 1 minutes wait between each packet to send.
–T5 implies no wait between each packet to send.
Command:
nmap -T[0-5] [target]
For example:
nmap –T5 172.16.4.51
nmap –T4 172.16.4.51

16
nmap –T3 172.16.4.51
nmap –T2 172.16.4.51
nmap –T1 172.16.4.51
nmap –T0 172.16.4.51

17
18
19
 STEP 4: IDENTIFY
VULNERABILITIES
Introduction: After finding the open ports and services running
on it, this step identifies the vulnerabilities associated with the
open ports. For example, vulnerabilities associated with the
open ports of Simple Network Management Protocol (SNMP)
and Server Message Block (SMB) protocols.
Simple Network Management Protocol (SNMP) is built in to
virtually every network device. Network management programs
(such as HP OpenView and LANDesk) use SNMP for remote
network host management. Unfortunately, SNMP also presents
security vulnerabilities.
If SNMP is compromised, an attacker can collect information of
network such as ARP tables, usernames, and TCP connections
to perform various attacks. If SNMP shows up in port scans,
then a hacker will try to hack the system.
Command:
nmap -p 445 --script=smb-vuln* <target>

20
For example:
nmap -p 445 --script=smb-vuln* 172.16.4.51

21
Command:
nmap -sU -p 161 --script=snmp-interfaces <target>
For example:
nmap -sU -p 161 --script=snmp-interfaces 172.16.4.51

22
 COUNTERMEASURES
The following countermeasures must be followed:
 Always disable SNMP and SMB on hosts if not using it for a
particular period of time.
 Block the SNMP ports (UDP ports 161 and 162) and SMB
ports (TCP port 139 and 445) at the network perimeter.
 Change the default SNMP community read string from
public and the default community write string from private
to another long and complex value that’s virtually
impossible to guess.
 There’s technically a “U” that’s part of the solution:
upgrade. Upgrading systems (at least the ones you can) to
SNMP version 3 and SMB version 2 can resolve many of
the well-known SNMP and SMB security weaknesses.

REFERENCES
[1] O. S. Limited, “Nmap Package Description,” 2020. https://tools.kali.org/information-
gathering/nmap (accessed Jan. 20, 2020).

23