LAB-M04-01: Host Scanning

Team 6: Team Maelstrom

Isaac Foster, Haley Rodriguez, Juan Wilbur

SUMMARY

Lab-M04-01: Host Scanning is an assignment for NTS 330: Applied Exploits and

Hacking. For this, Team Maelstrom had to conduct scans to meet the objectives and write a

report. The University of Advancing Technology, the Cyber Warfare Range, and Team

Maelstrom do not condone the actions of host scanning to public networks, servers, hosts or

properties. It is important to comply and follow the cyber ethical law. To complete the actions

that we have done, one must create virtual machines on a private network.

In this course, we are using VMware Workstation Pro. This program allows users to

create and manage virtual machines; virtual computers set to the users choice of operating

systems and virtual hardware. We, Team Maelstrom, created 3 virtual machines using the Kali

Linux operating system, as well as 1 Windows XP target virtual machine. The Kali virtual

machine has 4GB of RAM, 2 processors, 60GB of hard drive space and operates on a private

network. Our Windows XP virtual machine has 2GB of RAM, 2 processors, 40GB of hard drive

space and operates on the same private network as the Kali box. We placed one Kali box and the

XP box on the same IP range to conduct our experiment.

Host Scanning is a strategic method used to test the strength of a servers or hosts ports.

This technique is helpful for administration to the companys safety, and by attackers, to see find

vulnerabilities. Team Maelstrom is learning host scanning as a beneficial skill, to understand

what an attacker will do, and to enter the realm of penetration testing. This method is valued by

companies and the government, but it is highly important to practice this skill safely. Doing this

without consent could lead one unto the path of the Black Hat.
OBJECTIVES

In this lab you are going to flex your scanning and enumeration skills. You are going to
get to work your fingers against some systems and do some deeper information gathering.
Ensure first of all that you have some systems on your network. Fire up a couple of virtual
machines. These could either be some virtual appliances from the VMWare Site or some of the
vulnerable operating system images that I had mentioned previously.
WARNING: Do not port scan, vulnerability scan, exploit, or perform any other scan
against this organization. Doing so may be hazardous to your personal freedom, since you
do not have permission from them to do so ; )
For each scenario;

Include an overview of the scenario

Demonstrate the tool and command line options you used for each scenario as well as the
data the tool returned
If there are additional questions per scenario, answer them. This can be done by providing
screenshots or copy / pasting the results in to a document.
Make sure you can clearly tell where one scenario ends and the next begins in your lab
memo.
In the security field we often have to communicate our findings. The clearer we make our
findings, the better our message gets across.

The tools and command line arguments you use can be found either in the lecture, in the book, or
in the manual page for the tool itself. Use this information wisely to successfully complete this
lab ;)
For the items that require you to perform scans on a single host, choose the most interesting host
on your network with the most open ports.
Some of the questions are meant to make you think, answer to the best of your ability ;) If ports
or port ranges arent specified run the tool with the default settings.
Lab Scenarios:

1. Perform a ping sweep of your network to identify live hosts with Nmap.
2. Port scan the hosts on your network range with Nmap. If you have more than 10 hosts, only
provide the results of the 10 with the most ports open.
3. Scan a host adjusting the timing of requests with Nmap.
4. Use Nmap to sweep your network for systems running web servers on port 80 and port 443.
5. Run a scan on a host and tell Nmap to display the reason it finds the port in the state it does.
6. Scan a system with Nmap and output the results to a Normal File. Just provide the command
you would use, you do not have to append the results or the file.
7. Scan a host as if it where denying ICMP (ping).
8. Port scan on a host for open ports 1 through 500 with Netcat. Yes, Netcat. When do you
think you might use Netcat vs Nmap?
9. Perform Operating System identification on one of the hosts on your network. You can use
either Nmap or Xprobe2. How accurate was the guess by the tool?
10. Perform application fingerprinting on a host with Nmap. In your estimation did Nmap
properly identify the services running on the machine? Where there unknown application
fingerprints? If Nmap doesnt know what a service is, what steps could you take to determine
what the service is?
11. You are on a penetration test. Your customer asks you to identify all of the hosts in a given
network range. You notice that they are filtering ICMP so you cant ping hosts to determine
if they are alive. How would you determine which hosts in the network range are actually
up?
12. Which flags does an Xmas scan (-sX) set in Nmap?
13. Take a couple of the hosts from your network and put them in a plain text file. Put the IP
addresses in the file so there is only one per line. Name this file networkhosts.txt Use
Nmap with the appropriate command line argument to import this file and scan the contents.
LAB SCENERIOS

This picture captures our Nmap Ping Sweep use on our XP box, our own Kali box (this was an
accident), and our IP range.
Here, we used a limited the speed of the Nmap scan.
This is scanning ports 80 and 443 on the XP box.

Nmap giving a reason why the ports on the XP box are open
We performed another scan of XP and outputted the results onto a text file.

This is how we could scan XP if it was denying ICMP

We scanned the XP box ports 1-500

We scanned the XP to see if we could find the targets operating system

Here is more information about the XP box.

We scanned the IP range and found the 3 hosts connected. This is how we could find possible

ports blocking ICMP, the results are listed at the bottom of the scan.