Lab 3: Advanced Network Scanning with Nmap
Duration: 2 hours
1. Objective Explanation:
1.1. Highlight the importance of network scanning in identifying potential vulnerabilities.
1.2. Explain that Nmap is a widely used open-source tool for network reconnaissance and
security auditing.
2. Environment Setup:
2.1. Ensure students have:
2.1.1. Linux (Ubuntu/Kali) or Windows with WSL installed.
2.1.2. Nmap installed (sudo apt install nmap or download from [Link]).
2.2. Verify that students have access to:
2.2.1. Their local machine (localhost).
2.2.2. A test virtual machine or local network device for scanning.
3. Safety Note:
3.1. Warn against scanning unauthorized systems as it is illegal and unethical.
3.2. Use only designated test systems for exercises.
4. Expected Outcomes
4.1. Students will understand the use of different scan types and their purposes.
4.2. Students will learn to interpret Nmap results effectively.
4.3. Students will explore advanced scanning techniques and understand their practical
applications.
Tasks-1:
1. Scan localhost for open ports:
1.1. Command: nmap -sV localhost
1.2. Expected Outcome:
1.2.1. List of open ports on the local machine.
1.2.2. Services running on those ports.
1.2.3. Why are some ports open by default, and how could this be exploited?
2. Scan a virtual machine for its operating system:
2.1. Command: nmap -O <target IP>
2.2. Expected Outcome:
2.2.1. Operating system details.
2.2.2. TCP/IP fingerprinting results.
2.2.3. How accurate is the OS detection? What factors affect its reliability?
Tasks-2:
1. Detect Firewall Rules:
1.1. Command: nmap --packet-trace <target IP>
1.2. Expected Outcome:
1.2.1. Insight into dropped packets and firewall rules.
1.2.2. How do firewalls block scans, and what techniques bypass them?
2. Perform a Stealth Scan:
2.1. Command: nmap -sS <target IP>
2.2. Expected Outcome:
2.2.1. Results of a half-open scan (stealth mode).
2.2.2. Compare the benefits of a stealth scan versus a regular scan.
3. Detect Vulnerabilities:
3.1. Command: nmap --script vuln <target IP>
3.2. Expected Outcome:
� 3.2.1. Identification of common vulnerabilities on the target system.
3.2.2. Discuss the implications of publicly known vulnerabilities.
4. Perform a Network Sweep:
4.1. Command: nmap -sn <target subnet> (e.g., [Link]/24)
4.2. Expected Outcome:
4.2.1. List of active hosts on the subnet.
4.2.2. Why is it important to know all active hosts in a network?
Solution Examples
Task 1: Scan localhost
nmap -sV localhost
Example Output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Ubuntu
80/tcp open http Apache httpd 2.4.41
Task 2: Detect Firewall Rules
nmap --packet-trace <target IP>
Output: Dropped packets indicate possible firewall activity.
Vulnerability Detection
nmap --script vuln <target IP>
Output: SMBv1 vulnerability detected: CVE-2017(whatever CVE each student identified)-
0144 (EternalBlue).
Some Extra Challenges tasks:
1. Scan for Specific Vulnerabilities
a) Command: nmap --script smb-vuln* <target IP>
b) Objective: Detect vulnerabilities like EternalBlue in SMB services.
c) Outcome: Learn how attackers exploit SMB.
2. Perform Timing and Evasion Scans
a) Commands:
a) nmap -T1 <target IP> (Slow scan for evasion).
b) nmap -T5 <target IP> (Aggressive scan for speed).
b) Objective: Analyze the trade-off between scan speed and stealth.
3. DNS Enumeration
a) Command: nmap --script dns-brute <target domain>
b) Objective: Enumerate DNS subdomains.
c) Outcome: Learn how attackers map an organization’s domain.
4. Service-Specific Scanning
a) Command: nmap -p 80 --script http-enum <target IP>
b) Objective: Enumerate HTTP services and resources.
c) Outcome: Identify exposed directories or vulnerable web apps.
5. Custom NSE Script Execution
a) Objective: Write and run a custom Nmap Scripting Engine (NSE) script to automate
specific checks.
b) Example Script: A simple port banner grabber.
