HW 2 – Scanning & Mapping

CYBR 3800

Objective:

Utilize Nmap and other network scanning tools to discover hosts on a network, and map network
devices.
Pre-Lab:
Download links: (Also on G:\GlenSagers drive in lab)
BIG NOTE: There are several links for each file. Each is the same, you only need to download one
copy of each file. This is to try to get around some of the speed and bandwidth limitations of
SharePoint. For SharePoint only will need to login as [email protected], with your SUU
password.
 Kali Linux –
o Proton Drive: https://drive.proton.me/urls/9YF2G7H9GM#DhfUfeFYU3kj
o iCloud: https://www.icloud.com/iclouddrive/0d5TNfNG0NP1uuU7cw7TyruWw#kali-
linux-2024.4-virtualbox-amd64-updated%5F01-25
o SharePoint (Login Required) kali-linux-2024.4-virtualbox-amd64-updated_01-25.7z
 Metasploitable 3 Linux –
o Proton Drive: https://drive.proton.me/urls/E83HDSTB44#hroAR1b2VfwZ
o iCloud: https://www.icloud.com/iclouddrive/00alx31zeqVKEhnyE5HfL0-
dg#Metasploitable_3_Ubuntu_14.04
o SharePoint (Login Required)
https://suu.sharepoint.com/:u:/s/CSIS/EVaeysaaw0BFtxjUMEbol-
8B1MBlQO2m1kKFcoP4FoXm-A?e=Cbz5RZ
 Metasploitable 3 Win2K8 –
o Proton Drive: https://drive.proton.me/urls/5BVTC5376W#uP6qXAHS49k0
o iCloud:
https://www.icloud.com/iclouddrive/004xz2EdVuBgIDdsyjOpM324w#metasploitable3
%5Fwin2k8
o SharePoint (Login Required)
https://suu.sharepoint.com/:u:/s/CSIS/Ee8KfpMvhRFGhGpNatMkgDcB1myl-
Q1e7tqGXCJtBLwPlg?e=eD7PHP
 Windows 10 21H1 with SolarWinds Network Mapper –
o Proton Drive: https://drive.proton.me/urls/THTEDCNNCW#cmVgUm6DC8sX
o iCloud: https://www.icloud.com/iclouddrive/0952nw51DJ_-
8DUgCi7Wn4wCA#Win10x64%5F21H1%5Fwith%5Fsolarwinds
o SharePoint (Login Required) Win10x64_21H1_with_solarwinds.7z

The files are distributed as either zip/7zip or open virtualization appliance (.ova) files. To import .ova
files into VirtualBox, simply double-click on them, and follow the wizard to import them. For .zip
and .7z files, unpack them, and click on the .vbox file.
The lab room (306) does not allow bridged networking in VirtualBox, so you will need to use the
“NAT Network”. This option is unfortunately named, as there is another option simply called
“NAT” which is the default for VirtualBox. To change the network for the machines:

1. Open Virtual Box, then under “File”, choose “Preferences”.

2. Go to the “Network” tab and click the “+” icon on the right. A new network called
“NatNetwork” will be created.
a. Double-click on the new network and change the name to “MultimachineNAT”. Change
the Network CIDR (IP address range) to 10.0.5.0/24, and leave “Supports
DHCP” checked, then click “OK”, and “OK” again.
3. Check that the network settings for all VMs are set to “Nat Network” and “MultimachineNAT”
before powering on the VMs

Credentials:
1. Kali username: kali, password: kali
2. Metasploitable Linux username: vagrant, password: vagrant
3. Metasploitable Win2K8 username: vagrant, password: vagrant
4. Windows 10 username: student, password: AB12cd34

To adjust the resolution of Kali, run the command xrandr -s 1440x900. This size is comfort-
able on most HD screens. Running xrandr by itself shows all available resolutions.
Record your VM’s IP addresses here
Kali: _10.0.5.4___________________________

Metasploitable Linux: _10.0.5.6

Metasploitable Windows 2008: __10.0.5.7__________________

Windows 10: _10.0.5.5_____________________

Part 1: Port Scanning

Do the following from within your Kali VM.

Nmap

1. To launch Nmap, you have two options, use whichever you’re comfortable with:

1.1. Launch a terminal, become root, then type nmap followed by whatever options you will
be using.

1.2. Use the applications menu in the top-left, then 01- Information Gathering, then click on
“Nmap”; this will just create a terminal with the Nmap help showing, you’ll still have to
type nmap with the options you want.

1.3. Use the applications menu in the top-left, then 01- Information Gathering, then click on
“Zenmap”; to launch the Nmap GUI. (Hint: nmapfe-kbx from a terminal also launches
 the GUI).

2. Scanning a single machine:

2.1. (.5 pts) Scan Metasploitable Linux, with default options for Nmap, and insert a
screenshot here:

3. Scanning multiple machines:

You can specify multiple Target IP addresses in Zenmap with just a space between them, as
shown below. You can also scan an IP address range by using a dash between the lowest and
highest numbers in the range.

3.1. (.5 pts) Scan your other machines’ IP addresses, by putting them in with spaces between,
and insert several screenshots of the output of Nmap or Zenmap, making sure the IP
 addressess you scanned show in the screenshots.

Screenshots of results of IP range scan

4. OS and service version detection

4.1. Nmap can detect versions of software, and operating systems. This can be very useful in
getting more information about the host being investigated, and finding vulnerabilities for
specific software versions.

4.2. (.5 pts) Scan your VMs using Nmap’s OS detection and service version detection
options, and insert a screenshot here.
5. Scanning only certain ports. Nmap allows specification of ports, to avoid scanning more than
needed.
5.1. (.5 pts) Scan ports 22, 80, 443, 139, and 445 on your VMs, and insert a screenshot here.

5.2. (.5 pts) Scan all the ports on your Metsaploitable Win2K8 machine, using a TCP connect
scan type. You can use the port range or a wildcard. Insert a screenshot here.
6. Scanning UDP. Nmap can also scan UDP ports, such as used by DNS.

6.1. (.5 pts) Perform a UDP scan against your Metasploitable Linux machine with default
options. Be aware this scan will take a long time, as UDP doesn’t respond if a port is
closed. Feel free to move on in another terminal and return to take a screenshot later! Insert
a screenshot here.
7. Other scans. Nmap is capable of many other types of scans. Find a tutorial online, and perform
two additional types of scans, not including “Ping Sweep”, covered below. For each, give the
command line options that need to be used, a brief explanation of what the scan should show,
and insert a screenshot of it running against one of your machines.

7.1. Scan 1.

a) (.5 pts) Command line options ___ sudo nmap -sS____

b) (.5 pts) Explanation A TCP SYN scan is a fast and stealthy way to check if ports are
open by sending a SYN request without completing the full connection. It helps hackers
and security testers find open ports while avoiding detection by firewalls or intrusion
detection systems (IDS)._________

c) (.5 pts) Screenshot

7.2. Scan 2.

a) (.5 pts) Command line options _ sudo nmap -A_________

b) (.5 pts) Explanation _ The Aggressive Scan (-A) in Nmap gathers detailed information
about a target by combining OS detection, service version detection, traceroute, and
script scanning. It can identify the operating system, open services, their versions, and
possible vulnerabilities. While this scan is useful for deep reconnaissance, it is easily
detected by firewalls and security systems._______

c) (.5 pts) Screenshot

Hping3

Hping3 can also do port scans, the basic syntax is to use the scan option (-8), and a port range, and then
the scan type. For more details use the --help option to hping3.

1. (.5 pts) Scan ALL ports of the Metasploitable Linux box with hping3, and insert one screenshot
here, being sure it shows the command line used, and the first section of output.
Ping Sweep

A ping sweep is a quick way to see which hosts are up. We’ll try two tools to do a ping sweep of the
network range, the “ping” program cannot do this alone.

1. (.5 pts) Nmap. Use Nmap’s “disable port scan” option to do a ping sweep of the network range
of the subnet your VMs are on. Insert just one screenshot of the results.
2. (.5 pts) Nmap. Use Nmap’s “TCP SYN discovery” option on port 22 to scan the range above.
Insert one screenshot of the results. Note: In this case, the results should look the same, since
we’re not blocking ping on any machines. The TCP SYN discovery option normally lets us
find hosts blocking ping.
3. (.5 pts) Hping3. Use hping3’s scan mode to scan our IP range. The syntax is

hping3 -1 --rand-dest 10.0.5.x -I eth0

Be sure to use this exact command, or you’ll scan a lot of IP addresses you don’t mean
to scan.

Kill the scan with CTRL+C after about a screen full of results have been generated.
Insert a screenshot of the results.
Banner grabbing

Banner grabbing is useful to determine which versions of software are running. Various tools can do
this. Nmap has a script to do banner grabbing, we saw a version of this, plus OS detection, earlier in
this lab, but just grabbing banners is a little faster. There are also manual ways of doing a banner grab.

1. (.5 pts) Use the Nmap --script option to do a banner grab against your Metasploitable Win2K8
machine. Insert a screenshot of the results.
2. (.5 pts) Use either netcat or telnet to grab the banners from ports 21, 22, and 80. Insert
screenshots showing the version numbers of each port below. Hints: netcat’s builtin binary is
simply nc, or you can use the one built into nmap which is ncat, and for at least port 80,
you’ll have to issue a command. You’ll also have to press “Enter” twice for both telnet or
netcat to get results.
 3. (.5 pts) Do the versions of software running shown by both Nmap and either netcat or telnet
match? ___Yeah__________

Describe in a paragraph how nmap, hping3, and netcat could be useful in increasing organizational
information security in a network. In other words, how could these tools help you as a network
administrator?

(2pts)_ Nmap, hping3, and netcat are powerful tools that can help network administrators
improve security by identifying weaknesses in a network. Nmap is useful for scanning
networks to find open ports, running services, and potential vulnerabilities, allowing
administrators to close unnecessary ports and update outdated software. Hping3 is great for
testing firewalls and network defenses by sending different types of network packets to see
how systems respond, helping to spot misconfigurations or weak points. Netcat allows
administrators to test connections, transfer files, and troubleshoot network services by
manually interacting with different ports. By using these tools, a network administrator can
better understand their network's security posture, detect potential threats, and take steps to
protect important systems from cyberattacks.____

Part 3 - IP Scanning from Windows

Do the following from within your Windows 10 VM.

 Advanced IP Scanner

1. Within your Windows 10 VM, download advanced IP scanner from https://www.advanced-ip-

scanner.com/, and unpack it.

1.1. Install Advanced IP scanner from the “Ping Sweep Tools” folder from the file you just
unzipped. You can choose either the “Run” or “Install” options on the first setup screen,
and then accept the defaults all the way through.

1.2. If not already off, turn off Windows firewall on the Windows 10 VM

2. Scanning a single machine:

2.1. (.5 pts) Scan both Metasplotiable Linux and Metasploitable Win2K8, by using their IP
addresses in Advanced IP scanner, and insert a screenshot of the results here:

2.2. (.5 pts) Do the results show that both machines are up? _Yes_____________

2.3. (.5 pts) Compare the results to the output from Nmap in the previous section. What does
this tell you about the power of Advanced IP Scanner vs Nmap?
___ Advanced IP Scanner is easy to use and quickly finds active devices, open services, and
manufacturer details on a network. However, it does not provide deep security analysis or detect
vulnerabilities like Nmap. Nmap is a more powerful tool for penetration testing because it can
find operating systems, service versions, and hidden weaknesses in a
network.___________________

Part 2 - Network Mapping:

Windows 10 VM:

1. Download the trial of Solar Winds Network Topology Mapper from

https://www.solarwinds.com/network-topology-mapper, and install it. Feel free to use a junk
address, but it must be real to receive the key.

2. This semester, the software is already installed.

3. Run Network Topology Mapper as Administrator

a. (if needed, click “New Network Scan”), then accept the defaults for SNMP, VMI, and
VMWare credentials, then on the Network Selection dialog, click the IP Ranges tab,
then add a range of 15 machines starting with your lowest IP address (this may go
higher than your highest IP, that’s OK) as the range, then accept the defaults for the rest
of the choices, and allow the scan to run.

4. (.5 pts) Click “Create Map” at the first results screen, then insert a screenshot of the whole
window here:

5. (.5 pts) Right-click on a node for details, then insert a screenshot of the details.
 6. (.5 pts) What type of network topology did Solar Winds find? _SolarWinds detected a Star
Topology, where devices connect to a central point. In this case, both the DESKTOP-
DKBA1GC and Metasploitable3-Win2K8 machines are part of this network and communicate
through the central structure.___.

7. (.5 pts) How could the results of the scan be used in a penetration test?

__The network topology map helps visualize active devices and their connections, making it
easier to identify attack paths. It shows which devices respond to ping requests, revealing firewall rules
or hidden machines that may need further scanning. It provides IP ranges useful for targeted scans to
detect open ports, services, and vulnerabilities._

Linux:

From your Kali VM

1. (.5 pts) Use the “Zenmap” frontend for Nmap to scan the same range used in Solar Winds
 above, then click on the “Topology” tab, then the “Fisheye” button. Insert a screenshot of the
topology here:

2. (.5 pts) Is this the same topology shown by Solar Winds?

___No__________________________

3. (.5 pts) Right-click on a green node, then click on “Services”. What service(s) is/are shown?

4. (.5 pts) Right-click on a red node, then click on “Services”. What service(s) is/are shown?
 5. (.5 pts) What does this tell you about the coloring of nodes? _ A green node means the host is
online but has no open ports detected. A red node indicates multiple open ports and active
services.

(1 pts) In a few sentences, compare and contrast the output of SolarWinds and Zenmap’s mapping.

SolarWinds Network Topology Mapper provides a structured, visual representation of the network,
showing connections between devices based on IP ranges and network discovery. It focuses on network
layout and infrastructure, making it useful for administrators managing network topology and device
relationships. Zenmap’s topology mapping, on the other hand, is more security-focused, identifying
active hosts, open ports, and running services. It provides detailed insights into potential vulnerabilities
and attack surfaces, making it a better tool for penetration testing and cybersecurity assessments.

(2 pts) Describe in a paragraph how Advanced IP Scanner, SolarWinds Topology Mapper, and
Zenmap’s topology mapping could be useful in a penetration test.

Each provide valuable insights for a penetration test. Advanced IP Scanner quickly identifies active
devices on the network, showing open services and basic details, which helps testers find potential
targets. SolarWinds Topology Mapper visually maps out network connections, revealing how devices
communicate and exposing weak points for lateral movement. Zenmap’s topology mapping goes
deeper by detecting open ports, running services, and potential vulnerabilities, making it useful for
identifying security gaps. Together, these tools help penetration testers understand the network
structure, locate weaknesses, and plan their next steps for further testing.
Extra Credit – you may choose to do ONE of these for extra points:
1. (5 pts) Use the Nmap Scripting Engine (NSE) to scan for one vulnerability on one of the
Metasploitable machines. Insert screenshots showing the command used, and the output which
shows that a specific service on the chosen machine is vulnerable.