ITN263

Term: Fall 2024

Laboratory Exercise Week 2 – Cyber Basics - Reconnaissance and Network

Scanning Lab

Due Date: 9/5/2024

1. Overview

This laboratory exercise will provide some hands-on experience with reconnaissance, network scanning,
and service enumeration.

2. Resources required

This exercise requires the latest Cyber Basics environment running in the Cyber Range.

3. Initial Setup

Log in to your Cyber Range account and select the latest Cyber Basics environment. Start your
environment and, if necessary, log in using the username student and password student.

4. Tasks

Task 1: Whois lookups

For this portion of the exercise, you can use a web browser on your laptop or desktop computer or log in
to your Cyber Basics environment in the Cyber Range.

Whois is a tool for querying databases containing domain registration data to determine ownership, IP
address, and other information. It was an early Unix/Linux command-line utility but is now mostly
accessed from various web pages such as ViewDNS.info, as shown below. A reverse whois lookup can be
used to find domains that are registered by a particular individual or organization.

a. Open a web browser and browse to https://whois.icann.org/. This is an authoritative source

for whois information that does not include advertisements and other clutter on the page.
Who is ICANN and why are they an authoritative source for whois information?

b. Do a whois lookup on the domain sekritskwerl.com. To whom is the domain registered?

c. A reverse whois lookup lets you search the database for contact information (name or email
address) and find domains registered to that person. Some reverse lookup providers have

© 2024 Virginia Cyber Range. Created by David Raymond, Ph.D., CISSP, Virginia Tech. (CC BY-NC-SA 4.0)
1
ITN263
Term: Fall 2024

better information than others. Go to http://viewdns.info/ and look up someone you know
who might have domains registered by their name or email address. Can you find any
registered domains for [email protected]?

Task 2: nslookup and dig

Nslookup is a Linux and Windows tool for querying the distributed database that makes up the domain
name system (DNS). This database translates hostnames (such as www.virginiacyberrange.org) to IP
addresses (23.185.0.1). This translation is necessary because your computer must have the IP address of
systems, such as web servers, that it communicates with, but humans are not good at remembering
strings of numbers so we remember hostnames instead. DNS converts hostnames to the proper IP
address so your web browser can find that web page. This DNS lookup usually happens in the
background so users don’t realize it is happening. You can use the nslookup tool to do this mapping
from the command line.

a. Open a terminal window and open the Linux ‘man page’ for the nslookup utility ($ man
nslookup) to find more information about nslookup. What is the default value for the
‘type=’ option in nslookup? What are some other possible DNS record types?

b. Use nslookup to find the IP version 4 address for virginiacyberrange.org. What is the IP
address?

[NOTE** Dig is another, and generally more powerful, tool for DNS database queries. However, dig is
only available on Linux and Unix systems.]

c. Open a terminal window and examine the Linux ‘man page’ for the dig utility to find more
information about dig. What does the ‘-x’ command-line option do in dig?

d. Use dig at the command line to look up the IP address for virginiacyberrange.org. Did you
get the same answer as you did above?

© 2024 Virginia Cyber Range. Created by David Raymond, Ph.D., CISSP, Virginia Tech. (CC BY-NC-SA 4.0)
2
ITN263
Term: Fall 2024

e. Use dig to conduct a reverse lookup of the IP address 8.8.8.8 (review the manual page if
necessary to determine how to do a reverse lookup). What is the hostname that
corresponds with that IP address?

Task 3: Network scanning using nmap

a. Identify your subnet. Your Kali Linux virtual machine in the Cyber Range is connected to a
small network subnet with other systems. Our first step in this exercise is to understand our
network neighborhood.

The ifconfig command can be used to determine your IP address and the network range of your
subnet.

1) What is the IP address of your virtual machine (inet)? ________________________

2) What is your subnet mask (netmask)? _______________________

3) How many unique hosts could you have in your subnet (how many IP addresses)?
_______
[Hint: if you have trouble here, refer to
www.mxtoolbox.com/SubnetCalculator.aspx ]

b. There are different ways to accomplish host discovery on a subnet. For this exercise, we will
use nmap (https://nmap.org/book/man.html), a widely used tool for network exploration
and port scanning. Nmap can be used to scan a single hostname IP address or range of
addresses. To scan a single host you would use the following command:

© 2024 Virginia Cyber Range. Created by David Raymond, Ph.D., CISSP, Virginia Tech. (CC BY-NC-SA 4.0)
3
ITN263
Term: Fall 2024

$ nmap <hostname or IP address>

By default, nmap will conduct a port scan of the target address(es), trying to connect to
ports 1 – 1000 for each IP address scanned and report which ports it finds open, or
“listening” (for more information on network ports, see
https://en.wikipedia.org/wiki/Port_(computer_networking)). This provides thorough scan
results, but creates a lot of network traffic and can take a long time to complete. For our
first scan, we will use nmap’s -sn switch, telling nmap to simply send a ping packet to each
IP address and listen for replies to identify active hosts on the subnet. To scan a range of
addresses we can provide the starting and ending address as follows:

$ nmap -sn <first address in range> - <last address>

Or we can use CIDR addresses (for more details on Classless Inter-Domain Routing, see
https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). Each of the exercise
subnets is/20 blocks (with a total of 4096 addresses). If you use nmap with the -sn flag and
your IP address with a /20, your system will discover active systems in your subnet.

$ nmap -sn <your IP address>/20

1) Use the nmap command to discover all hosts in your subnet. Write down the full
nmap command that you issued:

_______________________________________________________

2) Which IP addresses (besides your own) did you discover on your subnet?

____________________________________________

____________________________________________

____________________________________________

____________________________________________

c. Port scan. Our next goal is to find other systems that are running in your subnet. Now that
we have identified a potential target system(s) we will scan that system to identify
networking ports that the system is accepting connections on. Use nmap with no flags to
scan each host (besides your own) that you discovered in step 1.b.2), above.

1) List each IP address scanned and the port numbers exposed on each system.

IP Address “Open” ports

© 2024 Virginia Cyber Range. Created by David Raymond, Ph.D., CISSP, Virginia Tech. (CC BY-NC-SA 4.0)
4
ITN263
Term: Fall 2024

2) Which systems (IPs) are running web server software? ____________________

(Hint, web servers use the Hyper Text Transfer [HTTP] protocol. See
https://en.wikipedia.org/wiki/Port_(computer_networking) for a short list of common
protocols and the ports that they run on.)

5. References

● http://viewdns.info/
● https://nmap.org/book/man.html
● https://en.wikipedia.org/wiki/Port_(computer_networking)
● https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

© 2024 Virginia Cyber Range. Created by David Raymond, Ph.D., CISSP, Virginia Tech. (CC BY-NC-SA 4.0)
5