Student: Marchenko Maksym Group: 371 Data: 14.10.

2021

Evaluation & Testing of Information Assets

Laboratory Work №1
Network Analysis
Nmap, short for Network Mapper, is a network discovery and security-
auditing tool. It is known for its simple and easy to remember flags (the
parameters we use after calling the program, for example -Pn (no ping) is the
flag or parameter to prevent nmap from pinging targets) that provide
powerful scanning options. Nmap is widely used by network administrators
to scan for:

 Open ports and services;

 Discover services along with their versions;
 Guess the operating system running on a target machine;
 Get accurate packet routes till the target machine;
 Monitoring hosts;

Network analyzers like Nmap are essential to network security for several reasons. They can identify attackers and
test for vulnerabilities within a network. When it comes to cybersecurity, the more you know about your packet
traffic, the better prepared you are for an attack. Actively scanning your network is the only way to ensure that you
stay prepared for potential attacks.

As a network analyzer or packet sniffer, Nmap is extremely versatile. For example, it allows the user to scan any IP
active on their network. If you spot an IP you haven’t seen before, you can run an IP scan to identify whether it is a
legitimate service or an outside attack.

Nmap Scan Types

A variety of scans can be performed using Nmap. Below are the types of scans (main ones are highlighted):

TCP SYN Scan (-sS)

The TCP SYN Scan is one of the quickest port scanning techniques at your disposal on Nmap. You can scan thousands
of ports per second on any network that is not protected by a firewall.

It is also a good network scanning technique in terms of privacy because it doesn’t complete TCP connections that
draw attention to your activity. It works by sending a SYN packet and then waiting for a response. An
acknowledgment indicates an open port whereas no response denotes a filtered port. An RST or reset identifies non-
listening ports.

TCP Connect Scan (-sT)

A TCP Connect Scan is the main alternative TCP scan when the user cannot run a SYN scan. Under TCP connect scan,
the user issues a connect system call to establish a connection with the network. Instead of reading through packet
responses, Nmap uses this call to pull information about each connection attempt. One of the biggest disadvantages
of a TCP connect scan is that it takes longer to target open ports than a SYN scan.
Student: Marchenko Maksym Group: 371 Data: 14.10.2021
UDP Scan (-sU)

If you want to run port scanning on a UDP service, then UDP scans are your best course of action. UDP can be used
to scan ports such as DNS, SNMP and DHCP on your network. These are particularly important because they are an
area that attackers commonly exploit. When running a UDP scan, you can also run a SYN scan simultaneously. When
you run a UDP scan, you’re sending a UDP packet to each targeted port. In most cases, you are sending an empty
packet (besides ports like 53 and 161). If you do not receive a response after the packets are transmitted, then the
port is classified as open.

SCTP INIT port scan (-sY)

The SCTP INIT port scan covers SS7 and SIGTRAN services and offers a combination of both TCP and UDP protocols.
Like the Syn scan, the SCTP INIT Scan is incredibly fast, able to scan thousands of ports every second. It is also a good
choice if you’re looking to maintain privacy because it doesn’t complete the SCTP process. This scan works by
sending an INIT chunk and waiting for a response from the target. A response with another INIT-ACK chunk identifies
an open port, whereas an ABORT chunk indicates a non-listening port. The port will be marked as filter if no
response is received after multiple retransmissions.

TCP NULL Scan (-sN)

A TCP NULL scan is one of the more crafty scanning techniques at your disposal. This works by exploiting a loophole
in the TCP RFC that denotes open and closed ports. Essentially any packet that doesn’t contain SYN, RST or ACK bits
will prompt a response with a returned RST if the port is closed and no response if the port is open. The biggest
advantage of a TCP NULL scan is that you can navigate your way around router filters and firewalls. Even though
these are a good choice for stealth, however, they can still be detected by intrusion detection systems (IDS).

ACK Scan (-sA)

ACK scans are used to determine whether a particular port is filtered or not. This proves to be extremely helpful
when trying to probe for firewalls and their existing set of rules. Simple packet filtering will allow established
connections (packets with the ACK bit set), whereas a more sophisticated stateful firewall might not.

FIN Scan (-sF)

In addition, a stealthy scan, like the SYN scan, but sends a TCP FIN packet instead. Most but not all computers will
send an RST packet (reset packet) back if they get this input, so the FIN scan can show false positives and negatives,
but it may get under the radar of some IDS programs and other countermeasures.

XMAS Scan (-sX)

Just like null scans, these are also stealthy in nature. Computers running windows will not respond to Xmas scans
due to the way their TCP stack is implemented. The scan derives its name from the set of flags that are turned on
within the packet that is sent out for scanning. XMAS scans are used to manipulate the PSH, URG and FIN flags that
can be found in the TCP header.

RPC Scan (-sR)

RPC scans are used to discover machines that respond to Remote Procedure Call services (RPC). RPC allows
commands to be run on a certain machine remotely, under a certain set of connections. RPC service can run on an
Student: Marchenko Maksym Group: 371 Data: 14.10.2021
array of different ports, hence, it becomes hard to infer from a normal scan whether RPC services are running or not.
It is generally a good idea to run an RPC scan from time to time to find out where you have these services running.

IDLE Scan (-sI <zombie host>)

IDLE scan is the stealthiest of all scans discussed above, as the packets are bounced off an external host. Control over
the host is generally not necessary, but the host needs to meet a specific set of conditions. It is one of the more
controversial options in Nmap since it only has a use for malicious attacks.

+++

(Additional information about scan types can be found at https://nmap.org/book/port-scanning-options.html or

https://nmap.org/man/ru/man-port-scanning-techniques.html)

(Additional information about Nmap flags can be found at https://nmap.org/man/ru/man-briefoptions.html)

Work Procedure Sequence:

Launch the virtual machine and log in (credentials by default are both “kali”).
Student: Marchenko Maksym Group: 371 Data: 14.10.2021

In order to continue, we should update our system. To do so we must open the “Terminal”
application and enter the following command: sudo –s
This command allows you to perform actions on behalf of the superuser that would
otherwise not be available. After entering the command, the system will ask you for a
password (as before - kali).

Next, to update the system, enter the following command: apt update && apt upgrade -y
Student: Marchenko Maksym Group: 371 Data: 14.10.2021

After the system has updated we can proceed to the task itself. In the terminal window print
the following command: nmap –Pn scanme.nmap.org –oN test
nmap – command that triggers the Nmap application, -Pn (no ping) is the flag or parameter
to prevent nmap from pinging targets, scanme.nmap.org – the test target addres that we
scan (it could be an IP addres with corresponding subnet mask instead), -oN <filename> -
flag that outputs the results in normal output format to the specified file.

Final result:
Student: Marchenko Maksym Group: 371 Data: 14.10.2021
22 Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding
80 Hypertext Transfer Protocol (HTTP) uses TCP in versions 1.x and 2. HTTP/3 uses
QUIC, a transport protocol on top of UDP.
9929 IANA is responsible for internet protocol resources, including the registration of
commonly used port numbers for well-known internet services.
31337 This port number means "elite" in hacker/cracker spelling (3=E, 1=L, 7=T) and
because of the special meaning is often used for interesting stuff... Many backdoors/trojans
run on this port, the most notable being Back Orifice.
Control questions:
1. What does "filtered / open / closed port" mean?
Filtered
Nmap cannot determine whether the port is open because packet filtering prevents its
probes from reaching the port. The filtering could be from a dedicated firewall device, router
rules, or host-based firewall software. These ports frustrate attackers because they provide so
little information. Sometimes they respond with ICMP error messages such as type 3 code 13
(destination unreachable: communication administratively prohibited), but filters that simply
drop probes without responding are far more common. This forces Nmap to retry several
times just in case the probe was dropped due to network congestion rather than filtering. This
slows down the scan dramatically.

Open
An application is actively accepting TCP connections, UDP datagrams or SCTP
associations on this port. Finding these is often the primary goal of port scanning. Security-
minded people know that each open port is an avenue for attack. Attackers and pen-testers
want to exploit the open ports, while administrators try to close or protect them with
firewalls without thwarting legitimate users. Open ports are also interesting for non-security
scans because they show services available for use on the network.

Closed
A closed port is accessible (it receives and responds to Nmap probe packets), but there
is no application listening on it. They can be helpful in showing that a host is up on an IP
address (host discovery, or ping scanning), and as part of OS detection. Because closed ports
are reachable, it may be worth scanning later in case some open up. Administrators may
want to consider blocking such ports with a firewall. Then they would appear in the filtered
state, discussed next.
Student: Marchenko Maksym Group: 371 Data: 14.10.2021

2. Which flag is responsible for version/OS detection & how it is carried out.
This –O1 flag told Nmap to use the file nmap-os-fingerprints instead of the new
standard. The current generation of OS fingerprinting simply uses the –O (letter O, not the
number 0) flag. Accordingly, the base OS scan command with minimum ports is simply:
#nmap –F –O <ip address>
After performing dozens of tests such as TCP ISN sampling, TCP options support and
ordering, IP ID sampling, and the initial window size check, Nmap compares the results to
its nmap-os-db database of more than 2,600 known OS fingerprints and prints out the
OS details if there is a match.

3. Describe at least 6 other flags that were unmentioned. A few words would be enough
for each one.
-p: the -p flag or parameter is useful to specify one or many ports or port ranges. We can add
several ports separated by a comma as shown in the image below:
nmap -p 80,22,139 linuxhint.com

Optionally you can also define ports by their default service name rather than their port
number like “nmap -p ssh <target>”
Student: Marchenko Maksym Group: 371 Data: 14.10.2021
–open: This flag instructs nmap to find open ports on a specified IP range, in this example
nmap will look for all open ports of IP addresses within the range 172.31.1.1-255 (using
wildcard equals using the 1-255 range.)
nmap --open <IP/HostRange>

-iL: Another way to define targets by creating a targets list. In the list hosts can be separated
by comma, space, tab or new line. Below an example of nmap used to scan multiple targets
using a list called “hostslist” which includes LinuxHint and other two hosts.
nmap -iL hostslist
Student: Marchenko Maksym Group: 371 Data: 14.10.2021

–exclude: This flag is useful to exclude IP addresses or hosts from scans when we scan IP
ranges or target files. In the following example I’ll use the hostlist again to scan ports ssh,
ftp and sftp but I instruct nmap to exclude linuxhint.com from the list. As you see in contrast
with the result shown in the -iL flag example linuxhint.com wasn’t scanned.
nmap -p ssh,ftp,sftp -iL hostslist linuxhint --exclude linuxhint.com

-iR: The -iR flag instructs nmap to find hosts randomly, the -iR flag depends on an argument
and a numerical instructions, it requires the user to define how many hosts or targets nmap
should generate. In the following example I apply the -iR flag to scan http ports of 50
automatically generated random addresses, from the generated addresses nmap found 2 up
hosts.
Student: Marchenko Maksym Group: 371 Data: 14.10.2021

-v: The -v flag (verbosity) will print information on the scan process. By default nmap
doesn’t show the process, this parameter will instruct nmap to show what’s going on during
the scan.