Scribd
Upload
53 views8 pages

4.5.2.10 Lab Exploring Nmap

Uploaded by

MICAH WALDRON
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views8 pages

4.5.2.10 Lab Exploring Nmap

Uploaded by

MICAH WALDRON
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Lab - Exploring Nmap

Lab 4.5.2.10 - Exploring Nmap


This lab has been updated for use on NETLAB+.
www.netdevgroup.com

Topology

Objectives
Part 1: Exploring Nmap
Part 2: Scanning for Open Ports

Background / Scenario
Port scanning is usually part of a reconnaissance attack. There are a variety of port scanning methods that
can be used. W e will explore how to use the Nmap utility. Nmap is a powerful network utility that is used for
network discovery and security auditing.

Part 1: Exploring Nmap


In this part, you will use manual pages (or man pages for short) to learn more about Nmap.
The man [ program |utility | function] command displays the manual pages associated with the arguments.
The manual pages are the reference manuals found on Unix and Linux OSs. These pages can include these
sections: Name, Synopsis, Descriptions, Examples, and See Also.
a. Launch the CyberOps VM. Log in with username analyst and the password cyberops.

b. Open a terminal.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8
Lab - Exploring Nmap

c. At the terminal prompt, enter man nmap.


[analyst@secOps ~]$ man nmap

What is Nmap?

What is Nmap used for?

d. While in the man page, you can use the up and down arrow keys to scroll through the pages. You can
also press the space bar to forward one page at a time.
To search for a specific term or phrase, enter a forward slash (/) or question mark (?) followed by the
term or phrase. The forward slash searches forward through the document, and the question mark
searches backward through the document. The key n moves to the next match.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 8
Lab - Exploring Nmap

Type /example and press Enter. This will search for the word example forward through the man page.

e. In the first instance of example, you see three matches. To move to the next match, press n.

Look at Example 1. What is the nmap command used?

Use the search function to answer the following questions.


What does the switch -A do?

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 8
Lab - Exploring Nmap

What does the switch -T4 do?

f. Scroll through the page to learn more about nmap. Type q when finished.

Part 2: Scanning for Open Ports


In this part, you will use the switches from the example in the Nmap man pages to scan your localhost, your
local network, and a remote server (Metasploitable).

Step 1: Scan your localhost.


a. If necessary, open a terminal on the VM. At the prompt, enter nmap -A -T4 localhost. Depending on
your local network and devices, the scan will take anywhere from a few seconds to a few minutes.
[analyst@secOps ~]$ nmap -A -T4 localhost

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-01 17:20 EDT


Nmap scan report for localhost (127.0.0.1)
Host is up (0.000056s latency).
Other addresses for localhost (not scanned): ::1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 0 Apr 19 15:23 ftp_test
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 f1:61:50:02:94:ba:f2:bd:be:93:cf:14:58:36:b8:32 (RSA)
|_ 256 94:33:25:a5:0e:02:d7:bc:c8:b0:90:8a:a2:16:59:e5 (ECDSA)
23/tcp open telnet Openwall GNU/*/Linux telnetd
80/tcp open http nginx 1.12.0
|_http-server-header: nginx/1.12.0
|_http-title: Welcome to nginx!
Service Info: Host: Welcome; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.81 seconds

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 8
Lab - Exploring Nmap

b. Review the results and answer the following questions.


Which ports and services are opened?

For each of the open ports, record the software that is providing the services.

What is the operating system?

Step 2: Scan your network.


Warning: Before using Nmap on any network, please gain the permission of the network owners
before proceeding.
a. At the terminal command prompt, enter ifconfig to determine the IP address and subnet mask for this
host. For this example, the IP address for this VM is 192.168.0.11 and the subnet mask is 255.255.255.0.
[analyst@secOps ~]$ ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.11 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a00:27ff:fe23:b231 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:23:b2:31 txqueuelen 1000 (Ethernet)
RX packets 34769 bytes 5025067 (4.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10291 bytes 843604 (823.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0xd000
Record the IP address and subnet mask for your VM. Which network does your VM belong to?

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 8
Lab - Exploring Nmap

b. To locate other hosts on this LAN, enter nmap -A -T4 network address/prefix. The last octet of the
IP address should be replaced with a zero. For example, in the IP address 192.168.0.11, the .11 is the
last octet. Therefore, the network address is 192.168.0.0. The /24 is called the prefix and is a shorthand
for the netmask 255.255.255.0. If your VM has a different netmask, search the Internet for a “CIDR
conversion table” to find your prefix. For example, 255.255.0.0 would be /16. The network address
192.168.0.0/24 is used in this example
Note: This operation can take some time, especially if you have many devices attached to the network. In
one test environment, the scan took about 4 minutes.
[analyst@secOps ~]$ nmap -A -T4 192.168.0.0/24

How many hosts are up?

From your Nmap results, list the IP addresses of the hosts that are on the same LAN as your VM. List
some of the services that are available on the detected hosts.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 8
Lab - Exploring Nmap

Step 3: Scan a remote server.


a. At the terminal prompt, enter nmap -A -T4 209.165.200.235.
[analyst@secOps ~]$ nmap -A -T4 209.165.200.235

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 8
Lab - Exploring Nmap

b. Review the results and answer the following questions.


Which ports and services are opened?

Which ports and services are filtered?

What is the operating system?

Reflection
Nmap is a powerful tool for network exploration and management. How can Nmap help with network security?
How can Nmap be used by a threat actor as a nefarious tool?

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 8

You might also like