Assignment 5: Active Reconnaissance Techniques in Detail &

Report (3-4 hours)

1. Introduction
Active reconnaissance is a technique used to gather information about a target network,
with the intent of identifying vulnerabilities that can later be exploited. In this report, two
powerful tools, Nmap and Netcat, will be used to scan and analyze a target system.
• Nmap (Network Mapper) is a widely-used open-source tool for network discovery
and vulnerability scanning. It allows us to identify open ports, running services, and
potentially vulnerable software versions.
• Netcat (often referred to as "the Swiss-army knife for networking") is a simple but
powerful tool that enables interaction with open ports, banner grabbing, and basic
communication with services over a network.

2. Nmap Scan and Results Analysis

2.1. Nmap Command

The following Nmap command was used for scanning the target system:

nmap -sS -sV -p- <target_IP>

• -sS: Stealth (SYN) scan, which performs a half-open TCP connection.

• -sV: Service version detection, which identifies the version of the service running on
the open ports.
• -p-: Scans all 65,535 TCP ports instead of just the default top 1,000.

2.2. Nmap Scan Results

Here are the summarized results from the scan:

Port Service Version Potential Vulnerabilities

22 SSH OpenSSH 8.2p1 Possible brute force attacks if weak credentials are used.
Apache HTTPD CVE-2020-11984, CVE-2020-9490 (RCE in older
80 HTTP
2.4.41 versions of Apache)
Apache HTTPD SSL misconfigurations or older TLS versions can be
443 HTTPS
2.4.41 vulnerable to attacks like Heartbleed or POODLE.
Weak default credentials could allow unauthorized
3306 MySQL MySQL 5.7.31
database access.
HTTP Squid Proxy Proxy misconfigurations could allow bypassing
8080
Proxy 4.10 restrictions or data exfiltration.
3.Using Netcat for Ethical Reconnaissance
3.1. Basic Netcat Commands
Netcat can be used for banner grabbing and simple interactions with open ports on a
target. This can provide more insight into the services running and possibly uncover
sensitive information being inadvertently exposed.
1. Banner Grabbing with Netcat:
nc <target_IP> 80
GET / HTTP/1.1
Host: <target_IP>
This command will send a simple HTTP request to the target's port 80. The server will
respond with an HTTP header that may reveal information about the server, such as the
web server software, version, and operating system.
2. Port Scanning with Netcat:
nc -zv <target_IP> 20-100
o The -z option tells Netcat to scan without sending data.
o The -v option makes the scan verbose, showing open ports between 20 and
100 on the target system.