4 Scanning Networks

Practice Labs - Ethical Hacker v10
Scanning Networks
Introduction
Lab Topology
Exercise 1 - Using Microsoft Network Scanning Tools
Exercise 2 - Using Linux Network Scanning Tools
Review
Introduction
Network Scanning
ID Serve
Nmap
Zenmap
CurrPorts
Netcat
Hping3
MyLanViewer
Netdiscover
Fping
Ethical Hacking
Welcome to the Scanning Networks Practice Lab. In this module, you will be
provided with the instructions and devices needed to develop your hands-on skills.
Learning Outcomes
In this module, you will complete the following exercises:

After completing this module, you will be able to:
Banner Grab Using ID Serve

Explore a Network Using Nmap
Use CurrPorts to Monitor TCP/IP Connections
Use MyLanViewer to Scan a Network
Use Hping3 for Network Scanning
Perform a TCP Scan Using Dmitry
Use Netcat for Port Scan
Use Netdiscover for Scanning the Network
Perform Stealth Scanning Using Nmap
Use fping for Network Scanning
Use Msfconsole to Perform TCP Stealth on a Network
Exam Objectives
The following exam objective is covered in this lab:
5.2 Information Security Assessment Methodologies
Note: Our main focus is to cover the practical, hands-on aspects of the exam
objectives. We recommend referring to course material or a search engine to
research theoretical topics in more detail.
Lab Duration
It will take approximately 1 hour to complete this lab.
Help and Support

For more information on using Practice Labs, please see our Help and Support
page. You can also raise a technical support ticket from this page.
Click Next to view the Lab topology used in this module.

Lab Topology
During your session, you will have access to the following lab configuration.
Depending on the exercises, you may or may not use all of the devices, but they are
shown here in the layout to get an overall understanding of the topology of the lab.
PLABDC01 - (Windows Server 2019 - Domain Server)
PLABDM01 - (Windows Server 2019 - Domain Member)
PLABWIN10 - (Windows 10 - Workstation)
PLABKALI01 - (Kali 2019.2 - Linux Kali Workstation)
Click Next to proceed to the first exercise.
Exercise 1 - Using Microsoft Network Scanning

Tools
There are several Windows-based network scanning tools that are available. Some of
the key tools are:
ID Serve
CurrPorts
Nmap
MyLanViewer
NetView
Amap
Netscan Tools Pro
LANSurveyor
Friendly Pinger
Global Network Inventory
It is important to understand that some of the tools will work in a similar fashion,
such as discover live systems on a network. On the other hand, some tools, such as
ID Serve, have a distinct function, such as a scan for a Webserver and extract its
configuration information.
In this exercise, you will learn to use some of the key Windows-based tools for
network scanning.
Learning Outcomes
After completing this exercise, you will be able to:

Your Devices
You will be using the following devices in this lab. Please power these on now.

Task 1 - Banner Grab Using ID Serve
As an ethical hacker, it is important to know banner grabbing methods. ID Serve is

one of the key tools used in banner grabbing. ID Serve can connect any of the server
ports on any:
Domain
IP address
ID Serve can be used to grab the server’s greeting message (if any) along with the
make and model. It can also grab the operating system’s information.
In this task, you will perform banner grabbing using ID Serve. To do this, perform
the following steps:
Step 1
Ensure you have powered on the required devices and connect to PLABWIN10.
Figure 1.1 Screenshot of PLABWIN10: Showing the desktop of

PLABWIN10.
Step 2
In the Type here to search box, type the following:
Internet Explorer
Press Enter.
Figure 1.2 Screenshot of PLABWIN10: Searching for Internet Explorer and

then selecting it from the search results.
Step 3
The Intranet website is displayed.
Click Tools from the list.

Figure 1.3 Screenshot of PLABWIN10: Clicking the Tools folder on the
Intranet website.
Step 4
Scroll down and click Hacking Tools.
Figure 1.4 Screenshot of PLABWIN10: Clicking the Hacking Tools folder on
the intranet Website.
Step 5
Scroll down and click idserve.exe.
Figure 1.5 Screenshot of PLABWIN10: Clicking the idserve.exe tool.
Step 6
A notification bar appears at the bottom of Internet Explorer. Click Save.
Figure 1.6 Screenshot of PLABWIN10: Clicking Save in the notification bar.
Step 7
Click Run on the notification bar.
Figure 1.7 Screenshot of PLABWIN10: Clicking Run in the notification bar.
Step 8
Minimize the Internet Explorer window.
On the ID Serve window, click the Server Query tab.

Figure 1.8 Screenshot of PLABWIN10: Clicking the Server Query tab in the
ID Serve dialog box.
Step 9
On the Server Query tab, type the following URL in the Enter or copy / paste
an Internet server URL or IP address here text box:
http://intranet
Click Query The Server.

Figure 1.9 Screenshot of PLABWIN10: Typing the URL for the Intranet
Website and clicking Query The Server.
A lot of Web server information is displayed.

Figure 1.10 Screenshot of PLABWIN10: Showing the configuration of the
Intranet Webserver.
Step 10
You can scroll up and find the Webserver’s IP address.
Figure 1.11 Screenshot of PLABWIN10: Showing the IP address of the
Intranet Webserver.
Step 11
Click Exit to close the ID Serve dialog box.
Figure 1.12 Screenshot of PLABWIN10: Clicking Exit to close the ID Server
dialog box.
Task 2 - Explore a Network Using Nmap
Nmap has a graphical user interface (GUI) with the name Zenmap. It has the same
capabilities as Nmap. You can scan for ports, services, and so on.
In this task, you will explore a network using Nmap. To do this, perform the
following steps:
Step 1
Restore the Internet Explorer window from the taskbar.

Figure 1.13 Screenshot of PLABWIN10: Restoring Internet Explorer from
the taskbar.
Step 2
Ensure that you are on the Hacking Tools page on the Intranet Website. Scroll
down and click nmap-6.47-setup.exe.
Figure 1.14 Screenshot of PLABWIN10: Clicking the nmap executable from
the Intranet Website.
Step 3
A notification bar appears. Click Save.
Figure 1.15 Screenshot of PLABWIN10: Clicking Save in the notification
bar.
Step 4
After the installer is downloaded, click Run in the notification bar.
Figure 1.16 Screenshot of PLABWIN10: Clicking Run in the notification
bar.
Step 5
The Nmap Setup dialog box is displayed.
On the License Agreement page, click I Agree.

Figure 1.17 Screenshot of PLABWIN10: Clicking I Agree on the License
Agreement page.
Step 6
On the Choose Components page, keep the default selection and click Next.
Figure 1.18 Screenshot of PLABWIN10: Keeping the default selection and
clicking Next on the Choose Components page.
Step 7
On the Choose Install Location page, keep the default Destination Folder path,
and click Install.
Figure 1.19 Screenshot of PLABWIN10: Keeping the default location and
clicking Install on the Choose Install Location.
The installation progress is displayed.

Figure 1.20 Screenshot of PLABWIN10: Showing the installation progress
on the Installing page.
Step 8
Another dialog box named WinPcap (Nmap) 4.1.3 Setup is displayed.
On the License Agreement page, click I Agree.

Figure 1.21 Screenshot of PLABWIN10: Clicking I Agree on the License
Agreement page.
Step 9
The installation progress for WinPcap is displayed.
Once complete, click Next.

Figure 1.22 Screenshot of PLABWIN10: Showing the installation
completion and clicking Next.
Step 10
On the WinPcap Options page, keep the default selection and click Next.
Figure 1.23 Screenshot of PLABWIN10: Showing the options on the
WinPcap Options and clicking Next.
Step 11
On the Finished page, click Finish.
Figure 1.24 Screenshot of PLABWIN10: Clicking Finish on the Finished
page.
On the Installing page, the installation progress is displayed.

Figure 1.25 Screenshot of PLABWIN10: Showing the installation progress
on the Installing page.
Step 12
After the installation is completed, click Next on the Installation Complete page.
Figure 1.26 Screenshot of PLABWIN10: Clicking Next on the Installation
Complete page.
Step 13
On the Create Shortcuts page, keep the default selection and click Next.
Figure 1.27 Screenshot of PLABWIN10: Clicking Next on the Create
Shortcuts page.
Step 14
On the Finished page, click Finish.
Figure 1.28 Screenshot of PLABWIN10: Clicking Finished on the Finish
page.
Step 15
On the desktop, double-click the Nmap - Zenmap GUI icon.

Figure 1.29 Screenshot of PLABWIN10: Double-clicking the Nmap -
Zenmap GUI icon on the desktop.
Step 16
The Zenmap window is displayed. The top section has three key fields:
Target: The system that you want to scan.

Profile: A pre-defined scan method. The default method is Intense scan.
Command: This is entered based on the profile selection. You can also choose
to type a command manually.
In the Target text box, type the following IP address:
192.168.0.1
Click Scan.
Figure 1.30 Screenshot of PLABWIN10: Entering the IP address in the

Target text box and clicking Scan.
The output is displayed on the Nmap Output tab in the right pane.
Figure 1.31 Screenshot of PLABWIN10: Showing the scan results on the
Nmap Output tab.
Step 17
To view the ports information only, click the Ports / Hosts tab.
Figure 1.32 Screenshot of PLABWIN10: Showing the open ports on the
Ports / Hosts tab.
Step 18
Click the Topology tab. The topology for 192.168.0.1 is displayed.
Figure 1.33 Screenshot of PLABWIN10: Showing topology on the Topology
tab.
Step 19
Click the Host Details tab.
Notice that it displays quite a bit of detail. You can find its state (which is up), open
ports, filtered ports, and scanned ports.
Figure 1.34 Screenshot of PLABWIN10: Showing the host information on
the Host Details tab.
Step 20
Click the Scans tab.
Notice that it displays the command that has been executed to get the information
about the target system.
Note: The current scan is in an unsaved state. You can use the Scan > Save
Scan option (in the toolbar) to save the scan. Alternatively, you can press the
Ctrl + s keys to save the scan.
Figure 1.35 Screenshot of PLABWIN10: Showing the unsaved command on
the Scans tab.
Step 21
Close the Zenmap window. When prompted to save changes, click Close anyway.
Figure 1.36 Screenshot of PLABWIN10: Clicking Close anyway o the
Unsaved changes dialog box.
Task 3 - Use CurrPorts to Monitor TCP/IP Connections
CurrPorts is a network monitoring tool. It can display the open TCP and UDP
connections on a local system.
In this task, you will use CurrPorts to monitor TCP/IP connections. To do this,
perform the following steps:
Step 1
Restore the Internet Explorer window from the taskbar.

Figure 1.37 Screenshot of PLABWIN10: Restoring the Internet Explorer
window from the taskbar.
Step 2
Ensure that you are on the Hacking Tools page on the Intranet Website.
Scroll and click cports.zip.

Figure 1.38 Screenshot of PLABWIN10: Clicking the cports.zip file on the
Intranet Webpage.
Step 3
In the notification bar, click Save.
bar.
Step 4
In the notification bar, click Open folder.
Figure 1.40 Screenshot of PLABWIN10: Clicking Open folder on the
notification bar.
Step 5
The File Explorer window displays the Downloads folder.
Right-click cports and select Extract All…

Figure 1.41 Screenshot of PLABWIN10: Selecting the Extract all option
from the context menu.
Step 6
The Extract Compressed (Zipped) Folders dialog box is displayed.
Keep the default path and settings, then click Extract.

Figure 1.42 Screenshot of PLABWIN10: Showing the folder for extracting
the files and clicking Extract.
Step 7
A new File Explorer window is displayed with the cports folder. Double-click the
cports application file.
Figure 1.43 Screenshot of PLABWIN10: Showing the new File Explorer
window and double-clicking the cports executable.
The CurrPorts window is displayed. Notice that it displays the open TCP and UDP
connections.
The following information is displayed:
Process Name
Process ID
Protocol
Local Port
Local and Remote Addresses
State
Figure 1.44 Screenshot of PLABWIN10: Showing TCP and UDP
connections.
Step 8
Let’s attempt to close a TCP connection.
Select a TCP connection, right-click and select Close Selected TCP Connections.
Figure 1.45 Screenshot of PLABWIN10: Selecting Close Selected TCP
Connections from the context menu.
Step 9
The CurrPorts dialog box is displayed. It prompts to confirm the closure of the
selected TCP connection. Click Yes.
Figure 1.46 Screenshot of PLABWIN10: Clicking Yes on the CurrPorts
dialog box.
Step 10
The CurrPorts dialog box displays an error message. You must start the
CurrPorts tool with admin privileges to close a TCP connection.
Click OK.
Figure 1.47 Screenshot of PLABWIN10: Showing the error of elevated
privileges required in the CurrPorts dialog box.
Step 11
Click Close to close the CurrPorts application.
Figure 1.48 Screenshot of PLABWIN10: Closing the CurrPorts window.
Close the File Explorer windows.
Keep the Internet Explorer window open.
Task 4 - Use MyLanViewer to Scan a Network
MyLanViewer is a network and IP Scanner. It is also a tool that can search the
WHOis database. You can use it for multiple purposes, such as:
Traceroute
Remote shutdown
Wake On LAN (WOL) manager
Wireless network scanner and monitor
In this task, you will use MyLanViewer to scan the network. To use MyLanViewer,
perform the following steps:
Step 1
Restore the Internet Explorer window from the taskbar if it is minimized.
Figure 1.49 Screenshot of PLABWIN10: Restoring the Internet Explorer

window from the taskbar.
Step 2
Ensure that you are on the Hacking Tools page on the Intranet Website.
Scroll down and click MyLanViewer-setup.exe.
Figure 1.50 Screenshot of PLABWIN10: Double-clicking the MyLanViewer-

setup.exe file from the Intranet Webpage.
Step 3
In the notification bar, click Save.
bar.
Step 4
In the notification bar, click Run.
Figure 1.52 Screenshot of PLABWIN10: Clicking Run in the notification
bar.
Step 5
The Setup - MyLanViewer wizard is displayed.
On the Welcome to the MyLanViewer Setup Wizard page, click Next.

Figure 1.53 Screenshot of PLABWIN10: Clicking Next on the Welcome to
the MyLANViwer Setup Wizard page.
Step 6
On the License Agreement page, select I accept the agreement and click Next.
Figure 1.54 Screenshot of PLABWIN10: Accepting the license agreement
and clicking Next.
Step 7
On the Select Destination Location page, keep the default path, and click Next.
Figure 1.55 Screenshot of PLABWIN10: Clicking Next on the Select
Destination Location page to accept the default location.
Step 8
On the Select Start Menu Folder page, keep the default name for the Start Menu
and click Next.
Figure 1.56 Screenshot of PLABWIN10: Clicking Next on the Select Start
Menu Folder page.
Step 9
On the Select Additional Tasks page, keep the default selection and click Next.
Figure 1.57 Screenshot of PLABWIN10: Clicking Next on the Select
Additional Tasks page.
Step 10
On the Ready to Install page, review the installation configuration, and click
Install.
Figure 1.58 Screenshot of PLABWIN10: Clicking Install on the Ready to
Install page.
Step 11
On the Completing the MyLanViewer Setup Wizard page, keep the default
selection and click Finish.
Figure 1.59 Screenshot of PLABWIN10: Clicking Finish on the Launch
MyLanViewer page.
Step 12
The MyLanViewer dialog box is displayed, informing that this is a trial version that
will work as a fully functional product for 15 days.
Click OK.
Figure 1.60 Screenshot of PLABWIN10: Clicking OK on the MyLanViewer
dialog box.
The MyLanViewer - Monitoring Devices on Your Subnet/Wi-Fi window is

displayed.
MyLanViewer will now start to scan the subnet or Wi-Fi network depending on
your system’s connectivity.
Figure 1.61 Screenshot of PLABWIN10: Showing the scanning in the
MyLanViewer - Monitoring Devices on Your Subnet/Wi-Fi window.
Step 13
After a few minutes, it is able to scan for the live systems on the subnet. Expand
PLABWIN10.PRACTICELABS.COM (Your Computer).
Notice that it has captured a lot of system-related information. For example, you can
find its MAC address, IP address, and online status.
Figure 1.62 Screenshot of PLABWIN10: Expanding
PLABWIN10.PRACTICELABS.COM (Your Computer).
Step 14
Click Tools in the toolbar and select Ping / Traceroute To Host…
Figure 1.63 Screenshot of PLABWIN10: Clicking Tools and selecting Ping /
Traceroute To Host option.
Step 15
The Ping / Traceroute To Host dialog box is displayed.
In the Host text box, type the following IP address:
192.168.0.250
Click Ping.
Figure 1.64 Screenshot of PLABWIN10: Entering the IP address in the
Host textbox and clicking Ping.
The replies are received from the target, 192.168.0.250.

Figure 1.65 Screenshot of PLABWIN10: Showing the received replies from
the target system.
Step 16
Close the Ping / Traceroute To Host dialog box.
Figure 1.66 Screenshot of PLABWIN10: Closing the Ping / Traceroute To
Host dialog box.
Step 17
Close the MyLanViewer - Monitoring Devices on Your Subnet/Wi-Fi
window.
Figure 1.67 Screenshot of PLABWIN10: Closing the MyLanViewer -
Monitoring Devices on Your Subnet/Wi-Fi window.
Exercise 2 - Using Linux Network Scanning

Tools
Kali Linux contains various tools that can be used for network scanning. These tools
are:
Hping3
Dmitry
Netcat
Netdiscover
Nmap
Fping
Msfconsole
Most of these tools are meant for network scanning. However, some of the tools are
primarily for a different function. For example, Msfconsole if primarily a penetration
testing and exploit creation tool, but it also provides the capability of scanning a
network.
In this exercise, you will learn to use various Linux-based tools for network scanning.
Learning Outcomes
After completing this exercise, you will be able to:

Your Devices
You will be using the following devices in this lab. Please power these on now.

Task 1 - Use Hping3 for Network Scanning
Hping3 is a powerful tool that can be used for various types of scanning in a network.
It can perform Layer 3 and Layer 4 scanning.
In this task, you will use the hping3 tool to perform various types of network
scanning. To do this, perform the following steps:
Step 1
Ensure you have powered on the required devices and connect to PLABKALI01.
Credentials are:
Username:
root
Password:
Passw0rd
Click the Terminal icon in the left pane.
Figure 2.1 Screenshot of PLABKALI01: Showing the desktop of
PLABWIN10 and clicking the Terminal icon in the left pane.
Step 2
The terminal window is displayed. You can perform an ICMP discovery of a single
host using hping3.
Type the following command:
hping3 192.168.0.1 --icmp
Press Enter.
Figure 2.2 Screenshot of PLABKALI01: Entering the command to perform
ICMP discovery of a single host.
Step 3
The output of the command is displayed.
The hping3 command will continue for an indefinite time unless you stop it. To do
this, press the Ctrl + C keys.
Figure 2.3 Screenshot of PLABKALI01: Showing the response from the
target system.
Step 4
Clear the screen by entering the following command:
clear
You can also limit the command to perform ICMP discovery for a limited number. To
do this, type the following command:
hping3 192.168.0.1 --icmp -c 5
Press Enter.
Figure 2.4 Screenshot of PLABKALI01: Entering the hping3 command to

perform ICMP discovery for a limited number.
Note: The -S parameter sets the SYN flag.
The output of the hping3 command will be limited to five times.

Figure 2.5 Screenshot of PLABKALI01: Showing the output of the hping3
command.
Step 5
clear
You can also use the hping3 command to scan for a specific TCP port. You need to
specify the port number with the - - scan parameter. Type the following command:
hping3 intranet --scan 80 -S
Press Enter.

scan for a specific TCP port.
Notice that in the flags column, S and A are mentioned. This means that the
SYN+ACK response was received from the target system.
command.
SYN+ACK is part of the TCP 3-way handshake process between two systems, which
has the following steps:
Host1 sends a TCP SYN (synchronize) packet to Host2

Host2 receives Host1's SYN (synchronize) packet
Host2 sends a SYN (synchronize) -ACK (Acknowledgement).
Host1 receives Host2's SYN+ACK
Host1 sends ACK (Acknowledgement)
Host2 receives ACK (Acknowledgement).
Step 6
You can also scan for multiple ports using the hping3 command. To do this, type the
following command:
hping3 intranet --scan 22,80,443 -S
Press Enter.
Figure 2.8 Screenshot of PLABKALI01: Entering the command to scan for

multiple ports using the hping3 command.
Notice the output. Only port 80 has responded. The output only displays the ports if
the SYN+ACK response is received.
command.
Step 7
clear
You can also scan for a range of ports. To do this, you need to specify the first and the
last port. Type the following command:
hping3 192.168.0.1 --scan 1-80 -S
Press Enter.

scan for a range of ports.
Notice the output. Only port 53 is open.

command.
Step 8
clear
To scan the entire TCP port range, type the following command:
hping3 192.168.0.1 --scan 1-65535 -S

Press Enter.

scan the entire TCP port range.
Scroll up to see the output mentioning open ports.

Figure 2.13 Screenshot of PLABKALI01: Showing the partial output of the
hping3 command.
Scroll down to the command prompt. Notice that all closed ports are mentioned.
command.
Step 9
clear
You can use hping3 to determine open ports on a target. To identify open ports on
192.168.0.1, type the following command:
hping3 -8 0-100 -S 192.168.0.1
Press Enter.

determine open ports on a target.
The given command specifies the following switches:
-8 = Enable SCAN mode.

0-100 = Range of ports to scan.
-S = set SYN flag.
The output displays the list of open ports and the services that use them. The output
also displays the list of ports that do not respond to the scan.
Note: Notice the given command sent the SYN flag and received the SYN ACK
flag from each open port on PLABDC01.

command with the output of the list of open ports and the services that use
them.
Keep the terminal window open.
Task 2 - Perform a TCP Scan Using Dmitry
Dmitry is an information gathering tool. It has the capability to gather the following
types of information:
Subdomains
E-mail addresses
Uptime information
TCP port scan
WHOis lookups
In this task, you will use Dmitry to perform a TCP scan. To do this, perform the
following steps:
Step 1
If you are continuing from the previous task, the terminal window should be open. If
not, then open a new terminal window.
If continuing from the previous task, then clear the screen by entering the following
command:
clear
To view the parameters of the dmitry command, type the following:
dmitry
Press Enter.
Figure 2.17 Screenshot of PLABKALI01: Entering the dmitry command.
The output displays the list of parameters.

Figure 2.18 Screenshot of PLABKALI01: Showing the output of the dmitry
command with various parameters.
Step 2
clear
You will now use the -p parameter along with the dmitry command to perform a
TCP scan. Type the following command:
dmitry -p intranet
Press Enter.
Figure 2.19 Screenshot of PLABKALI01: Entering the dmitry command to

perform a TCP scan.
The output displays the list of open ports. It also shows the target’s IP address.
command.
Step 3
clear
You can also send the dmitry output to a text file. In this step, you will send the
output to a text file named plab.
To do this, type the following command:

dmitry -p intranet -o plab
Press Enter.
Figure 2.21 Screenshot of PLABKALI01: Entering the dmitry command to

send the output to a text file.
Notice that the output mentions writing output to plab.txt.

command with the generated output file.
Step 4
clear
To view the plab.txt file type the following command:
cat plab.txt
Press Enter.
Figure 2.23 Screenshot of PLABKALI01: Entering the cat command to view

the plab.txt file.
Notice that the output is the same as the output for the following command:
dmitry -p intranet
The plab.txt file contains the same output as the above-mentioned command.
Figure 2.24 Screenshot of PLABKALI01: Showing the contents of the
plab.txt file.
Task 3 - Use Netcat for Port Scan
Netcat, or nc, is a tool that is used for monitoring network connections and can also
be used for port scanning.
In this task, you will use nc for port scanning. To do this, perform the following
steps:
Step 1
command:
clear
To view the list of parameters of nc command, type the following:
nc -h
Press Enter.
Figure 2.25 Screenshot of PLABKALI01: Entering the nc command to view
its list of parameters.
The output of the nc -h command is displayed.

Figure 2.26 Screenshot of PLABKALI01: Showing the output of the nc -h
command.
Step 2
clear
To scan for a specific port, type the following command:
nc -nvz 192.168.0.1 88
Press Enter.
Figure 2.27 Screenshot of PLABKALI01: Entering the nc command to view

the specific port on a system.
Note: The -n parameter states that an IP address will be used. The -z

parameter is used for scanning. The -v parameter is used for verbose output.
The output of the nc command is displayed. It confirms that the port 88, which is
used by Kerberos, is open. You can test out various ports and find out if they are
open.
Figure 2.28 Screenshot of PLABKALI01: Showing the output of the nc
command.
Task 4 - Use Netdiscover for Scanning the Network
Netdiscover is a tool that can perform Layer 2 discovery. You can pass the range of IP
address in the CIDR notation, and Netdiscover can scan the entire range.
In this task, you will learn to scan the network using Netdiscover. To do this, type the
following command:
Step 1
command:
clear
To view the list of parameters of the netdiscover command, type the following:
netdiscover -r 192.168.0.0/24
Press Enter.
Note: The -r parameter is used for defining the CIDR notation.

PLABWIN10.
Notice the output of the netdiscover command. It has detected five systems on the
network.
Note: The fifth system is the Kali Linux system. Since you are executing the
command from sixth system, it does not mention it in the list.
Figure 2.30 Screenshot of PLABKALI01: Showing the output of the
netdiscover command.
Step 2
Press Ctrl + C to break the command.
If you are scanning an entire system, it can alert an Intrusion Detection System (IDS)
or Intrusion Prevention System (IPS). This is because ARP requests are broadcasted
all over the subnet, which can alert an IDS or IPS. You can run the netdiscover
command in stealth mode using the -p parameter.
netdiscover -p
Press Enter.
Figure 2.31 Screenshot of PLABKALI01: Executing the netdiscover

command in the stealth mode.
Notice that the command executes in the passive mode, which is stealth mode.
Note: If may take a few minutes to scan for systems on a network.

Figure 2.32 Screenshot of PLABKALI01: Showing the progress of the
netdiscover command in stealth mode.
Step 3
If this command takes a long time to run, you can break the command by pressing
Ctrl + C keys.
Figure 2.33 Screenshot of PLABKALI01: Breaking the netdiscover
command.
Task 5 - Perform Stealth Scanning Using Nmap
In a stealth scan, the attacker does not complete the three-way handshake with the
victim’s system and, therefore, goes undetected. Nmap has different options for
conducting stealth scans, which you will perform in this task. To conduct stealth
scanning, perform the following steps:
Step 1
Ensure that you are connected to Kali Linux and the terminal window is open.
If not already, clear the screen by entering the following command:

clear
You will now scan for the ports using a TCP SYN scan, which is known to be a
stealth scan. Type the following command:
nmap -sS 192.168.0.1
Press Enter.
Figure 2.34 Screenshot of PLABKALI01: Typing the nmap -sS command in

the terminal window.
Note: If no port range is specified, the command ‘nmap -sS <target>’
performs an SYN scan on well-known 1,000 TCP ports on the host <target>.
Nmap scans can be specifically crafted as desired. Detailed information about
all the switches supported by Nmap can be found in the help section of the tool.
The output lists the open ports on 192.168.0.1.
Figure 2.35 Screenshot of PLABKALI01: Showing the output of the -sS

command.
Step 2
clear
ACK scan cannot be used for scanning ports. This type of scan will never show ports
in the "open" state, and hence it should be used in conjunction with other scan types
to gain more information about firewalls or packet filters between your source
machine and the target machine.
If used for port scanning, ACK scan will only provide a meaningful result if the target
OS type is Solaris.
ACK scanning is mainly used to discover the rules of a filter. It can help to determine
if a firewall is stateless (that blocks incoming SYN packets) or stateful (that tracks
connections and also blocks unsolicited ACK packets).
As the name indicates, the ACK scan sends ACK packets to the target host. If the
target responds with an RST packet, then the port is classified as "unfiltered" (the
port is allowed to send its RST packet through the firewall that is in place). If no
packets are received, the port is said to be "filtered" (the firewall prevented the RST
packet sent from the port).
To perform a TCP ACK scan, type the following command:
nmap -sA 192.168.0.0/24
Press Enter.
The following are the switches used in the given command:
-sA : ACK Scan

-p : Specific port number to scan (port range can also be specified)
The output of this command is displayed. The output does not contain the open or
closed ports but filtered or unfiltered ports. For example, all 1000 ports on
192.168.0.2 are filtered whereas, on 192.168.0.250, they are unfiltered.
Figure 2.37 Screenshot of PLABKALI01: Showing the output of the nmap -

sA command.
Step 3
clear
You can also perform a stealth scan to avoid being detected by the non-stateful
firewalls. This is known as Null scan. In this type of scan, the TCP segment does not
carry a flag. In the usual state, there would be at least the ACK flag that is raised.
To perform this, type the following command:
nmap -sN 192.168.0.1-4
Press Enter.
Figure 2.38 Screenshot of PLABKALI01: Typing the nmap -sN command in

The output of this command is displayed. It lists the open and filtered ports on
various target systems.

sN command.
Step 4
clear
Another type of stealth scan is a FIN scan, which sends a TCP FIN message. To
conduct a FIN scan, type the following command:
nmap -sF 192.168.0.1-4
Press Enter.
Figure 2.40 Screenshot of PLABKALI01: Typing the nmap -sF command in
The output of this command is displayed.

sF command.
Step 5
clear
The next type of stealth scan is Xmas scan, which sends the TCP segment with
three flags raised. These flags are FIN, PSH, and URG.
Note: The Null, FIN, and Xmas scans are used to avoid being detected by the
non-stateful firewall.
To perform the Xmas scan, type the following command:
nmap -sX 192.168.0.1-3
Press Enter.
Figure 2.42 Screenshot of PLABKALI01: Typing the nmap -sX command in

Notice the outcome of this command.

sX command.
Step 6
clear
You can also choose the speed of your stealth scan. For example, you choose
paranoid (T0), sneaky (T1), polite (T2), normal (T3), aggressive (T4), and
insane (T5). T0 is the slowest scan, and T5 is the fastest scan.
To perform a T5 scan on a system, type the following command:
nmap 192.168.0.2 -T 5
Press Enter.
Figure 2.44 Screenshot of PLABKALI01: Typing the nmap command with

the -T5 parameter in the terminal window.
Notice the speed of the scan.
Note: You can attempt to perform a T1 or T2 scan and notice the time
difference.
Figure 2.45 Screenshot of PLABKALI01: Showing the output of the nmap
command with the -T parameter.
Task 6 - Use fping for Network Scanning
The fping tool is similar to the ping tool but has additional features. One of the
additional features is that it can be used as a scanning tool.
To use fping as a scanning tool, perform the following steps:
Step 1
Ensure that you are connected to Kali Linux and the terminal window is open.
clear
You can simply pass the IP address to the fping command as a parameter to check if
a system is alive on the network.
fping 192.168.0.1
Press Enter.
Figure 2.46 Screenshot of PLABKALI01: Entering the fping command to

check if a host is alive.
The output shows that the mentioned system is alive on the network.
Figure 2.47 Screenshot of PLABKALI01: Showing the output of the fping

command.
Step 2
Using the -g parameter, you can scan for more than one system on the network.
fping -g 192.168.0.1 192.168.0.2
Press Enter.

check for more than one system.
Notice that output displays the status of each of the systems.
Figure 2.49 Screenshot of PLABKALI01: Showing the output of the fping -g

command.
Step 3
Using the -g parameter, you can scan an entire subnet using the CIDR notation.
fping -g 192.168.0.0/24
Press Enter.

scan an entire subnet using the CIDR notation.
Notice the output scans for the live systems on the entire subnet and lists the status
of each IP address.
Note: You can scroll to see the status of the systems.
Figure 2.51 Screenshot of PLABKALI01: Showing the output of the fping

command.
Close the terminal window.
Task 7 - Use Msfconsole to Perform TCP Stealth on a Network
Metasploit framework is the most widely used tool in exploiting vulnerabilities. A

free edition is available in Kali Linux. Metasploit has a modular and flexible
architecture that helps you develop new exploits as more vulnerabilities are
discovered. On the other hand, it is also used in penetration testing. Other than the
modules for penetration testing, Metasploit Framework also contains modules that
can be used for various types of scans, such as:
UDP scan
TCP stealth scan
Full connect scan
In this task, you will perform a TCP stealth scan. To do this, perform the following
steps:
Step 1
Click the metasploit framework icon in the left pane.

PLABKALI01 and clicking on the metasploit framework icon.
Step 2
The terminal window is displayed.
Type msfconsole
Press Enter
Figure 2.53 Screenshot of PLABKALI01: Showing the msf5 prompt after

the Metasploit framework starts.
The metasploit framework has started now.
Note: The number of exploits and payloads will change from time to time.
Step 3
Next, you will load the module with the use command. To do this, type the following
command:
use auxiliary/scanner/portscan/syn
Press Enter.
Figure 2.54 Screenshot of PLABKALI01: Using the use command for a
module.
Step 4
You will now need to set the remote host on which you want to perform the TCP
stealth scan. Type the following command:
set RHOSTS 192.168.0.1
Press Enter.
Figure 2.55 Screenshot of PLABKALI01: Setting the RHOSTS value.
Step 5
Notice that the RHOSTS value is now set. You will now set the number of
concurrent tasks to be performed in the background. This is done by setting the
THREADS value. Type the following command:
set THREADS 25
Press Enter.
Figure 2.56 Screenshot of PLABKALI01: Setting the THREADS value.
Step 6
Notice that the THREADS value is now set. You will need to set the port. This is
done by setting the PORTS value. Type the following command:
set PORTS 53
Press Enter.
Figure 2.57 Screenshot of PLABKALI01: Setting the PORTS value.
Step 7
Notice that the PORTS value is now set. You can now execute the module.
run
Press Enter.
Figure 2.58 Screenshot of PLABKALI01: Using the run command to

execute the module.
Notice the output. It has found the port 53 to be open.
Figure 2.59 Screenshot of PLABKALI01: Showing the output of the run

command.
Step 8
Let’s now scan against a range of ports. To do this, you need to reset the PORTS
value. Type the following command:
set PORTS 1-100
Press Enter.
Notice that the value of PORTS has been reset to 1-100. This means ports 1 to 100
will be scanned.
Figure 2.60 Screenshot of PLABKALI01: Entering the command to reset

the PORTS value.
Step 9
You can now execute the module. To do this, type the following command:
run
Press Enter.

execute the module.
Notice that in the range of 1 to 100, two ports, 53 and 88, are found open.
Figure 2.62 Screenshot of PLABKALI01: Showing the open ports.
Step 10
You have performed a TCP stealth scan against a single host. You can reset the
RHOSTS value to perform this scan against multiple hosts in one go. To do this,
type the following command:
set RHOSTS 192.168.0.1-3
Press Enter. Notice that the value of RHOSTS has been reset to 192.168.0.1-3.
Figure 2.63 Screenshot of PLABKALI01: Resetting the RHOSTS value.
Step 11
You can now execute the module. To do this, type the following command:
run
Press Enter.

execute the module.
Notice the output. Port 53 and 88 are open on 192.168.0.1. Port 80 is open on
192.168.0.2.
Figure 2.65 Screenshot of PLABKALI01: Showing the open ports.
Review
Well done, you have completed the Scanning Networks Practice Lab.
Summary
You completed the following exercises:

You should now be able to:

Feedback
Shutdown all virtual machines used in this lab. Alternatively, you can log out of
the lab platform.

4 Scanning Networks

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

4 Scanning Networks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

4 Scanning Networks

Uploaded by

Copyright:

Available Formats

Practice Labs - Ethical Hacker v10

Exercise 1 - Using Microsoft Network Scanning Tools

Banner Grab Using ID Serve

5.2 Information Security Assessment Methodologies

Help and Support

Click Next to view the Lab topology used in this module.

Click Next to proceed to the first exercise.

Exercise 1 - Using Microsoft Network Scanning

Banner Grab Using ID Serve

PLABDC01 - (Windows Server 2019 - Domain Server)

Task 1 - Banner Grab Using ID Serve

As an ethical hacker, it is important to know banner grabbing methods. ID Serve is

Figure 1.1 Screenshot of PLABWIN10: Showing the desktop of

Figure 1.2 Screenshot of PLABWIN10: Searching for Internet Explorer and

Click Tools from the list.

On the ID Serve window, click the Server Query tab.

Click Query The Server.

A lot of Web server information is displayed.

Task 2 - Explore a Network Using Nmap

Restore the Internet Explorer window from the taskbar.

On the License Agreement page, click I Agree.

The installation progress is displayed.

On the License Agreement page, click I Agree.

Once complete, click Next.

On the Installing page, the installation progress is displayed.

On the desktop, double-click the Nmap - Zenmap GUI icon.

Target: The system that you want to scan.

In the Target text box, type the following IP address:

Figure 1.30 Screenshot of PLABWIN10: Entering the IP address in the

Task 3 - Use CurrPorts to Monitor TCP/IP Connections

Restore the Internet Explorer window from the taskbar.

Scroll and click cports.zip.

Right-click cports and select Extract All…

Keep the default path and settings, then click Extract.

The following information is displayed:

Close the File Explorer windows.

Keep the Internet Explorer window open.

Task 4 - Use MyLanViewer to Scan a Network

Restore the Internet Explorer window from the taskbar if it is minimized.

Figure 1.49 Screenshot of PLABWIN10: Restoring the Internet Explorer

Figure 1.50 Screenshot of PLABWIN10: Double-clicking the MyLanViewer-

On the Welcome to the MyLanViewer Setup Wizard page, click Next.

Minimize the Internet Explorer window.

The MyLanViewer - Monitoring Devices on Your Subnet/Wi-Fi window is

In the Host text box, type the following IP address:

The replies are received from the target, 192.168.0.250.

Exercise 2 - Using Linux Network Scanning

Use Hping3 for Network Scanning

PLABDC01 - (Windows Server 2019 - Domain Server)

Type the following command:

hping3 192.168.0.1 --icmp

Figure 2.4 Screenshot of PLABKALI01: Entering the hping3 command to

Note: The -S parameter sets the SYN flag.

The output of the hping3 command will be limited to five times.

Figure 2.6 Screenshot of PLABKALI01: Entering the hping3 command to

Host1 sends a TCP SYN (synchronize) packet to Host2

hping3 intranet --scan 22,80,443 -S

Figure 2.8 Screenshot of PLABKALI01: Entering the command to scan for