Lab Activity-2

VULNERABILITY SCANNING USING NMAP

1. Execute the Nmap-Zenmap GUI tool from Program Menu or Desktop Icon.
2. Type the Target Machine IP Address(i.e., Guest OS or any website Address)
3. Perform the profiles shown in the utility.

1)Find Open Ports on a System

i. Enter IP address or URL in target field

ii. And explore the options in profile field.
iii. Select Intense scan and click on Scan button.
iv. Under Nmap output tab, you can see open ports on a system.
2)Find the Version of remote OS on other systems
3) TCP Scan:

When an attacker is using TCP connect scans, because Nmap will use the connect() system call to open
connections to interesting ports on the target host and complete the 3-way TCP handshake, the probe is easily
detected by the target host. Logs on the host machine will show these ports being opened by the attacker. A TCP
connect scan is used with the "-sT" flag as:

nmap -sT itsecgames.com

4) Stealth Scan
What if an attacker wants to scan a host without being logged on the target machine? TCP SYN scans are less
prone to logging on the target's machine, because a full handshake never completes. A SYN scan starts by sending
a SYN packet, which is the first packet in TCP negotiation. Any open ports will respond with a SYN|ACK, as they
should. However, the attacker sends a RST instead of an ACK, which terminates the connection. The advantage is
that the 3-way handshake never completes, and fewer sites will log this type of probe. Ports that are closed will
respond to the initial SYN with a RST, allowing Nmap to determine that the host isn't listening on that port. The
"-sS" flag will launch a SYN scan against a host or network as:

nmap -sS itsecgames.com

5) UDP Scan:
Using the UDP scan "-sU" an attacker can determine what ports are open to UDP on a host. Nmap will send a 0-
byte UDP packet to each port. If the host returns a "port unreachable" message, that port is considered closed.
This method can be time consuming because most UNIX hosts limit the rate of ICMP errors. Fortunately, Nmap
detects this rate and slows itself down, so not to overflow the target with messages that would have been ignored.
Launch a UDP scan as follows:

nmap -sU itsecgames.com

6) Which OS is running on the host? “OS Fingerprinting”
Often an intruder may be more familiar with exploits for a particular operating system, and may be looking for
machines he's able to compromise easily. A common option is TCP/IP fingerprinting with the "-O" option to
determine the remote operating system. This has to be combined with a port scan and not a ping scan.

# nmap -sS -O itsecgames.com