Experiment No.

5
Aim:
(i) Download and install nmap. Use it with different options to scan open ports, perform OS
fingerprinting, do a ping scan, tcp port scan, UDP port scan, xmas scan etc.
(ii) Detects ARP spoofing using nmap and/or open-source tool ARPWATCH and wireshark. Use
arping tool to generate gratuitous arps and monitor using wireshark

Theory:

What is Nmap?

Nmap (Network Mapper) is a widely used open-source tool designed to scan networks, discover
hosts and services, and audit security. Created by Gordon Lyon (Fyodor), Nmap is invaluable to
system administrators and cybersecurity professionals.

Key Features:

●​ Port Scanning: Identify open ports and potential services running on them.​

●​ Service Detection: Determine software versions on detected ports.​

●​ OS Fingerprinting: Analyze TCP/IP stack responses to deduce the target's OS.​

●​ Scripting Engine: Automate scans and extend functionality via Nmap Scripting Engine
(NSE).​

●​ Aggressive Scanning: Includes techniques like Xmas scan, NULL scan for stealth
testing.​

Commonly Used Nmap Scans:

Command Description

nmap <target> Default scan (top 1000 TCP ports)

nmap -p- <target> Full TCP port scan (all 65535 ports)

nmap -O <target> OS detection

nmap -sn <target> Ping scan (host discovery)

 nmap -sT <target> TCP connect scan

nmap -sU <target> UDP port scan

nmap -sX <target> Xmas scan using FIN, URG, PSH flags

Detailed Explanation of Nmap Commands:

Basic Port Scan: nmap <target_ip>
●​ Scans the top 1000 TCP ports on the target.
●​ Provides a quick overview of services running on commonly used ports.

Full Port Scan: nmap -p- <target_ip>

●​ Scans all 65535 TCP ports.
●​ Useful when scanning non-standard or custom port services.

OS Fingerprinting: nmap -O <target_ip>

●​ Enables OS detection.
●​ Nmap sends specially crafted packets and compares responses against a database of
known OS signatures.

Ping Scan (Host Discovery): nmap -sn <target_ip>

●​ Checks whether the target is up (alive) without scanning ports.
●​ Uses ICMP echo request, TCP ACK, or SYN to detect live systems.

TCP Connect Scan: nmap -sT <target_ip>

●​ Uses the system's TCP stack to complete the three-way handshake.
●​ Easier to detect by firewalls; used when SYN scan (-sS) is not possible.

SYN Scan (Stealth Scan): nmap -sS <target_ip>

●​ Sends SYN packets and waits for SYN-ACK.
●​ Doesn’t complete handshake, making it harder to detect.

UDP Port Scan: nmap -sU <target_ip>

●​ Scans for services running on UDP.
●​ Slower and less reliable than TCP due to lack of response from open UDP ports.

Xmas Scan: nmap -sX <target_ip>

●​ Sends TCP packets with FIN, URG, and PSH flags set.
●​ Based on the RFC compliance, closed ports send RST; open ports ignore.
●​ Can evade some simple firewalls.
Version Detection: nmap -sV <target_ip>
●​ Identifies the application name and version running on open ports.
●​ Helpful for vulnerability assessments.

Aggressive Scan: nmap -A <target_ip>

●​ Combines OS detection, version detection, script scanning, and traceroute.
●​ Provides detailed information about the target but is more intrusive.

Scan Multiple Targets:​

nmap 192.168.1.1 192.168.1.2 192.168.1.3
●​ Lists multiple IPs to scan together.
nmap 192.168.1.0/24
●​ Scans an entire subnet using CIDR notation.​

ARP Spoofing and Analysis

What is ARP Spoofing?

ARP spoofing (or poisoning) is a technique used to associate the attacker’s MAC address with the
IP address of another host (like a gateway), enabling interception or manipulation of traffic
(Man-in-the-Middle).

Detection Using Tools:

●​ ARPWATCH: Monitors ARP traffic and alerts when a MAC-IP mapping changes.
●​ Wireshark: Captures ARP packets; repeated unsolicited replies or MAC inconsistencies
indicate spoofing.
●​ arping: Sends ARP requests and can simulate attacks (gratuitous ARP generation).

Wireshark ARP Analysis Filters:

●​ Use arp as a display filter.

●​ Look for multiple responses for the same IP with different MACs.
●​ Monitor unsolicited replies (gratuitous ARPs).​

FTP and HTTP Overview and Analysis Using Wireshark

FTP (File Transfer Protocol): Overview

FTP is one of the earliest protocols used to transfer files between a client and a server over a
network. It works over TCP and follows a client-server model where the client initiates
commands and the server responds. FTP operates on two channels: a command channel (for
control signals) and a data channel (for actual file transfers).

Advantages:
●​ Simple to implement
●​ Useful for bulk file transfers

Drawbacks:
●​ Transmits data, including credentials, in plaintext
●​ Susceptible to sniffing and spoofing

Secure Alternatives:
●​ SFTP (SSH File Transfer Protocol): Uses SSH for encryption
●​ FTPS (FTP Secure): Adds SSL/TLS encryption to FTP
●​ Use filter: ftp
●​ Examine commands (USER, PASS, RETR, STOR).
●​ Security concern: Credentials transmitted in plaintext.
●​ Solution: Use SFTP/FTPS for secure file transfers.​

HTTP (Hypertext Transfer Protocol): Overview

HTTP is the foundation of communication on the web. It is a request-response protocol, where
clients (usually browsers) send HTTP requests to servers, which return responses containing data
such as web pages, images, or documents.

Characteristics:
●​ Stateless: Each request is independent
●​ Text-based: Human-readable requests and responses​

Security Considerations:
●​ HTTP is unencrypted, making it vulnerable to eavesdropping
●​ HTTPS (HTTP Secure) adds SSL/TLS encryption for secure communication​

Wireshark Analysis for HTTP:

●​ Use http filter to isolate HTTP packets
●​ Inspect headers, URLs, and payload for insights into user activity​

Best Practice:
●​ Always prefer HTTPS to protect sensitive data
●​ Use filter: http
●​ Analyze headers, URL, and sensitive fields.
 ●​ HTTP is not encrypted — switch to HTTPS for secure communication.

Questions and Answers

1. What does it mean for a port on ves.ac.in to be “closed?” More specifically, what is
the TCP packet type, if any, the server gives in response to a SYN packet sent to port that is
“closed?”
Ans: A port is considered "closed" when there is no service listening on it. When a SYN packet
is sent to a closed port, the server responds with a TCP RST (Reset) packet, indicating that the
connection cannot be established.

2. What does it mean for a port on ves.ac.in to be “filtered?” More specifically, what is the
TCP packet type, if any, the server gives in response to a SYN packet sent to port that is
“filtered?”
Ans: A port is considered "filtered" when firewall rules or network security mechanisms block
access to it. When a SYN packet is sent to a filtered port, the server either: Does not respond at
all (silent drop), or Sends an ICMP Destination Unreachable (Type 3, Code 13: Communication
Administratively Prohibited) message.

3. What TCP parameters does nmap alter to fingerprint the host’s operating system?
Ans: Nmap modifies various TCP parameters to identify the target's operating system, including:
●​ Initial TTL (Time to Live) value
●​ Window size in SYN-ACK responses
●​ TCP sequence number generation patterns
●​ Response to unusual flag combinations (e.g., FIN, NULL, and Xmas scans)
●​ Behavior of IP fragmentation and TCP options (such as Maximum Segment Size (MSS),
Window Scale, and Timestamp values)
●​ ICMP responses, including TTL values and Type 3 (Destination Unreachable) codes.
These parameters help Nmap compare the responses to a database of known OS signatures and
determine the operating system running on the target host.

Input:-
Scanning all open ports Intense scan
Intense scan plus UDP Intense scan, all TCP ports

Intense scan, no ping Ping scan

Quick scan

Quick scan plus

Xmas scan Perform OS fingerprinting

ARP

ARP
FTP
UDP

HTTP

Conclusion:

Nmap is a versatile network scanning tool capable of port scanning, OS detection, and service
identification. Combined with ARPWATCH, Wireshark, and arping, it enables effective
detection of ARP spoofing and traffic analysis. Understanding these tools equips network
professionals to identify vulnerabilities and improve network security.