Running head: LAB 1 REPORT 1

Lab 1 Report

Zachary C. White

Liberty University

Overview of Computer Security

CSCI 501

Dr. Joe Wilson

January 26, 2018

LAB 1 REPORT AND CHALLENGE QUESTIONS 2

Lab 1 Report and Challenge Questions

Lab 1.4 Generally describe the value of having computers networked.

Computer networking provides tremendous value at a relatively low cost. Connecting

different devices together via network connections allow users to share files, provide the

medium for text and real-time communication. Computer networks also provide for an

efficient means of sharing resources between machines of different types – workstations,

file servers, print servers, printers, scanners, exchange servers, etc.

Lab 1.7 Describe the steps involved in a TCP handshake and some key differences between

TCP and UDP, particularly with regard to speed, overhead, and reliability.

TCP utilizes a handshake, known in industry as the “three-way handshake” in order to

establish a TCP session. First, a client sends a SYN (or synchronization) segment with a

randomly selected sequence number. The recipient of the SYN replies with its own SYN

and acknowledges (ACK) the SYN it received. Then the original client sends an ACK

acknowledging the SYN it received. Then, the client starts sending DATA (RFC793,

1981).

With respect to the differences between TCP and UDP, the main difference is that UDP is

a connection-less protocol. TCP relies on a combination of sequence numbers and

acknowledgements that ensures that all data reaches its destination. Also, TCP has a

multitude of error-checking mechanisms that ensure that DATA hasn’t been corrupted or

changed in transit. These mechanisms that provide increased reliability also generate

additional overhead when compared to the light, connectionless UDP. With TCP, if a

packet gets lost in transit, TCP will cause that lost DATA to be retransmitted. With UDP,

there is no resend or feature allowing for the retransmission of lost data. For all intents
LAB 1 REPORT 3

and purposes, UDP is a “fire and forget” type protocol. Because UDP lacks some of

these error checking and correction mechanisms, the speed of data transfer is quicker.

Lab 1.10 Explain the concept of a connection port and the difference between an open port

and a closed port.

A connection port is a port associated with the Transport Layer of the OSI Model that is

associated with some sort of application as an endpoint of communication. According to

Nmap.org, an open port is a state in which “an application is actively accepting TCP

connections, UDP datagrams, or SCTP associations on this port” (Nmap, n.d.). “A closed

port is accessible (it receives and responds to Nmap probe packets), but there is no

application listening on it” (Nmap, n.d.). The status of these connection ports is

important in allowing the Nmap application to gather information about the devices on

the networks it scans.

Lab 2.5 Make a screen capture showing the IP address

10.3.0.5

The eth0 IP address is 10.3.0.5/24. The lo IP address is 127.0.0.1/8.

Lab 2.14 Describe the differences between the Ping scan and the Quick scan results. Also,
LAB 1 REPORT 4

note what operating system (OS) is suspected for the 10.3.1.1 host.

Based on the output, the Ping scan only sends ICMP echo requests out to every possible

IP address within the parameters assigned by the scan. The results are hosts on the

network that return an ICMP reply. In this lab, 6 hosts responded to ping – 10.3.1.1,

10.3.1.2, 10.3.1.6, 10.3.1.7, 10.3.1.10, and 10.3.1.250. The Quick scan returns much

more detail than the ping scan. Quick scan scans the top 100 TCP ports for the defined

network parameter and returns the port state and what application (service) the port

belongs to. The Quick scan shows that at this point, the Operating System (OS) is

unknown, however you can make assumptions of the type of server that 10.3.1.1 is by the

open ports …80/tcp, 443/tcp, 3306/tcp.

Lab 2.17 Make a screen capture showing the ports and services that were discovered for the

10.3.1.1 host.

TCP/80 (HTTP), TCP/443 (HTTPS), and TCP/3306 (SQL) were discovered in the open

state during the Intense scan.

Lab 2.18 Make a screen capture showing which OS was positively identified for the 10.3.1.1

host.
LAB 1 REPORT 5

Lab 2.19 Make a screen capture showing the exact version of the Web service running for the

10.3.1.1 host.

The 10.3.1.1 host is running Apache httpd 1.3.28 (Unix) mod_ssl/2.8.15 OpenSSL/0.9.7c.

Lab 3.5 Make a screen capture showing the saved scans on the desktop.

Ping Scan

Quick Scan

Intense Scan

CQ 4.1 There are two other subnets in this lab environment. Minimize the Student Kali

machine to return to the lab topology. Open a machine from one of the other

networks in this lab and determine the subnet address. Do the same for the third
LAB 1 REPORT 6

subnet. Document your steps and the subnet addresses.

10.3.2.0/24

10.3.0.0/24 (same network the Student Kali is located)

Other than the 10.3.1.0/24 network (the network scanned in the first part of the lab), there

are the 10.3.0.0/24 and the 10.3.2.0/24 subnetworks.

CQ 4.2 Use Zenmap to run an Intense scan of the entire virtual network. Make a screen

capture showing the results and document all the ports and services running on that

subnet. Save the scan as ChallengeScan.nmap on the Student Kali desktop.

LAB 1 REPORT 7

Subnet Services

10.3.0.0/24 http, msrpc, netbios-ssn, quagga (routing), vnc, vnc-http, zebra (routing)

10.3.1.0/24 http, microsoft-ds, mountd, msrpc, mysql, netbios-ssn, quagga, rpcbind,

vnc, vnc-http, zebra

10.3.2.0/24 msrpc, netbios-ddn, quagga, zebra

ChallengeScan.nmap

CQ 4.3 Use Zenmap to produce a topology diagram of the entire virtual network. Ensure

that all the hosts are visible on the diagram. Make a screen capture showing the

topology diagram you created.

LAB 1 REPORT 8

LA 1 What are some reasons an information security professional would scan a system or

network of systems?

Scanning a system for open ports and protocols helps that information security

professional with identifying what applications are enabled on a particular system. It also

can assist the IT security team with establishing a baseline that can be used to compare

systems over time. Additionally, scanning a system can assist administrators with

identifying unneeded open ports that can be disabled, thereby reducing the attack surface

of the system.

LA 2 Why is it important to learn at least a few commonly used ports and their associated

services ?

As professionals, it is important to “be brilliant in the basics.” Having a good knowledge

of the well-known ports and protocols assists administrators with troubleshooting and
LAB 1 REPORT 9

quickly identifying applications in operation on the network.

LA 3 What TCP/IP protocol relies on a three-way handshake to establish a connection-

oriented transmission and how might this handshake assist in network scanning?

Transmission Control Protocol (TCP) utilizes a three-way handshake in order to build

persistent sessions that allow the passing of DATA. An administrator can utilize these

TCP features in order to gather information about a system. Just a few types of TCP

scanning are TCP connect(), TCP SYN, TCP FIN, and more! Nmap utilizes features of

TCP in order to query information about the host in which it connects. Connection-

oriented transmissions require bidirectional communication, connection-less protocols

aren’t required to respond when an open port is identified.

LA 4 Between TCP and UDP, which protocol requires less overhead and is generally

faster?

User Datagram Protocol (UDP). UDP is a connection-less protocol that does not have

many of the error correction and retransmission mechanisms that TCP has. UDP is

essentially a “fire and forget” protocol – it is not concerned with whether or not the

receiver of the DATA actually gets it. This lack of protocol overhead in comparison to

TCP allows UDP to send data at a faster rate.

LA 5 Give an example of a situation in which an information security professional might

use Nmap to verify statements made by a system administrator.
An information security professional can use Nmap in order to verify that any authorized

change or modification has actually been completed. It is important that after

modifications have been made that a verification process be followed in order to ensure
LAB 1 REPORT 10

the intended result is in effect.

LA 6 Describe the relationship between Nmap and Zenmap.

Nmap is strictly a command-line utility for network scanning. Zenmap provides an

intuitive graphical user interface (GUI) to allow professionals who are not familiar with

the command line syntax the ability to perform effective scanning.

LA 7 If you wanted to use Nmap for command-line scanning, how would Zenmap help?

Zenmap would be a useful tool because based on all of the options and scan parameters

selected by the user, it creates and displays the Nmap commands that can be entered into

the command-line.

LA 8 What were some of the different scan profile types you used in Zenmap?

For Lab 1, we utilized Ping scan, Quick scan, and Intense scan. The Ping scan simply

sends ICMP echo requests to every possible host address within a subnet. The Quick

scan incorporates a port scan of the top 100 common TCP ports, and the Intense scan is

able to determine the Operating System of the host (along with version) and also the

services and version of application corresponding with those services.

LA 9 What scan profile type can you use to positively identify a system’s OS ?

Intense scan.

LA 10 True or False: The Zenmap application allows you to graphically present the full
scanned topology.
True. An example of this is Challenge Question 4.3 above.

LA 11 True or False: The scans performed in Zenmap are automatically saved for later

reference after the application is closed.

False. As we learn in the lab, scans have to manually saved.

LAB 1 REPORT 11

References

Request for Comment (RFC) 793 - Transmission Control Protocol. (1981, September). Retrieved

from https://tools.ietf.org/html/rfc793

Port Scanning Basics – Nmap (n.d.). Retrieved from https://nmap.org/book/man-port-scanning-

basics.html

The Art of Port Scanning – Nmap (1997). Retrieved from https://nmap.org/nmap_doc.html