Professional Documents
Culture Documents
Lab1B Scanning - NikhilPhadke
Lab1B Scanning - NikhilPhadke
Lab1B Scanning - NikhilPhadke
Objective: Scan the network to identify open ports, OS detection, service scanning and
vulnerability scanning.
Outcomes:
1. To install and use network scanner (nmap)
2. To explore various scanning mechanisms.
3. To enumerate the open ports and identify vulnerable services.
4. To detect the operating system and associated vulnerability
5. To identify the exploit with respect to vulnerable services.
System Requirements:
3 workstations installed with Kali Linux/Fedora Linux Core/Ubuntu and Windows XP
Nmap, nmapfe, zenmap etc
Procedure:
NMAP: Network exploration tool and security/port scanner
Description:
Nmap is short for Network Mapper. It is an open-source security tool for network
exploration, security scanning, and auditing.
Install nmap:
$sudo apt-get install nmap
$sudo apt-get install nmapfe
$sudo apt-get install zenmap
Usage:
Refer manaul page of nmap
$man nmap
To quit from manual page press q button of keyboard
Short analysis:
Nmap (“Network Mapper”) is an open source tool for network exploration and security
auditing. It was designed to rapidly scan large networks, although it works fine against
single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are
available on the network, what services (application name and version) those hosts are
offering, what operating systems (and OS versions) they are running, what type of
packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is
commonly used for security audits, many systems and network administrators find it
useful for routine tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime
Short analysis:
Multiple ways to perform nmap are performed.
Short analysis:
we have saved a txt file in a directory and iL command helps to scan the ip from there
and perform nmap in it.
Short analysis:
This commands help exclude particular ip addresses nd perform nmap on the rest of the
addresses from the given list.
Short analysis:
These commands helps get information about OS detection. scans every information about
the address provided along with other information like name,netbios etc.
8: Scan a network and find out which servers and devices are up and running
This is known as host discovery or ping scan:
$sudo nmap -sP 192.168.1.0/24
Short analysis:
If you need to perform a scan quickly, you can use the “-F” flag. The “-F” flag will list ports
on the nmap-services files. Because the -F “Fast Scan” flag does not scan as many ports, it
isn't as thorough
Short analysis: Nmap output indicates whether a host is up or not, but does not describe the
discovery tests that the host responded to. It can be useful to understand the reason why a port
is marked as open, closed, or filtered and why the host is marked as alive.
Short analysis:
References:
https://insecure.org/
Additional document
https://laconicwolf.com/2018/02/04/nmap-scan-csv/
Conclusion:
Network scanning provides information about the target, which is valuable regardless
of whether you're trying to attack the network or protect it from attack. While
performing a basic scan Nmap provides a wide array of options to tweak your scan
to achieve the best results. These features can make scans more accurate, less
likely to be detected, and faster to complete. Nmap's huge list of features and solid
implementation make it the go-to scanner for most scans.
Additional Document
Nmap Target Selection
Scan a single IP nmap 192.168.1.1
Scan a host nmap www.test.com
Scan a range of IPs nmap 192.168.1.1-20
Scan a subnet nmap 192.168.1.0/24
Scan targets from a text file nmap -iL list-of-ips.txt
These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.
Privileged access is required to perform the default SYN scans. If privileges are insufficient a
TCP connect scan will be used. A TCP connect requires a full TCP connection to be
established and therefore is a slower scan. Ignoring discovery is often required as many
firewalls or hosts will not respond to PING, so could be missed unless you select the -Pn
parameter. Of course this can make scan times much longer as you could end up sending scan
probes to hosts that are not there.
Service and OS detection rely on different methods to determine the operating system or
service running on a particular port. The more aggressive service detection is often helpful if
there are services running on unusual ports. On the other hand the lighter version of the
service will be much faster as it does not really attempt to detect the service simply grabbing
the banner of the open service.
The default format could also be saved to a file using a simple file redirect command > file.
Using the -oN option allows the results to be saved but also can be monitored in the terminal
as the scan is under way.
According to my Nmap install there are currently 471 NSE scripts. The scripts are able to
perform a wide range of security related testing and discovery functions. If you are serious
about your network scanning you really should take the time to get familiar with some of
them.
The option --script-help=$scriptname will display help for the individual scripts. To get an
easy list of the installed scripts try locate nse | grep script.
You will notice I have used the -sV service detection parameter. Generally most NSE scripts
will be more effective and you will get better coverage by including service detection.
UDP based DDOS reflection attacks are a common problem that network defenders come up
against. This is a handy Nmap command that will scan a target list for systems with open
UDP services that allow these attacks to take place. Full details of the command and the
background can be found on the Sans Institute Blog where it was first posted.
There are many HTTP information gathering scripts, here are a few that are simple but
helpful when examining larger networks. Helps in quickly identifying what the HTTP service
is that is running on the open port. Note the http-enum script is particularly noisy. It is similar
to Nikto in that it will attempt to enumerate known paths of web applications and scripts.
This will inevitably generated hundreds of 404 HTTP responses in the web server error and
access logs.
Heartbleed detection is one of the available SSL scripts. It will detect the presence of the well
known Heartbleed vulnerability in SSL services. Specify alternative ports to test SSL on mail
and other protocols (Requires Nmap 6.46).
IP Address information
Find Information nmap --script=asn-query,whois,ip-geolocation-maxmind
about IP address 192.168.1.0/24
Gather information related to the IP address and netblock owner of the IP address. Uses ASN,
whois and geoip location lookups.
Remote Scanning
Depending on network perimeter you are scanning remember scanning Internet resources
from an external perspective is key when assessing your exposure.
It is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless
intrusion detection) framework.
NetStumbler:
Netstumbler is the best known Windows tool for finding open wireless access points
("wardriving"). They also distribute a WinCE version for PDAs and such named
MiniStumbler. The tool is currently free but Windows-only and no source code is provided. It
uses a more active approach to finding WAPs than passive sniffers such as Kismet or
KisMAC.
Wellenreiter:
Wellenreiter is a wireless network discovery and auditing tool. Prism2, Lucent, and Cisco
based cards are supported. It is the easiest to use Linux scanning tool. No card configuration
has to be done anymore. The whole look and feel is pretty self-explaining. It can discover
networks (BSS/IBSS), and detects ESSID broadcasting or non-broadcasting networks and
their WEP capabilities and the manufacturer automatically. DHCP and ARP traffic are
decoded and displayed to give you further information about the networks. An
ethereal/tcpdump-compatible dumpfile and an Application savefile will be automaticly
created. Using a supported GPS device and the gpsd you can track the location of the
discovered networks. NO!, hosap drivers actualy don't work in the perl version.
Aircrack-ng suite:
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and
WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any
wireless network interface controller whose driver supports raw monitoring mode and can
sniff 802.11a, 802.11b and 802.11g traffic.
InSSIder by MetaGeek
InSSIder is a WiFi scanner designed for small networks. It helps you optimize your WiFi
network for the best performance.The software can analyze your wireless network and alert
you if there is a better channel.
It can also help you troubleshoot bandwidth bottlenecks, pinpoint interference, and trouble
spots.InSSIder gives you an overview of the wireless networks within the coverage.
It includes their SSID, channel, and more information. It is also capable of detecting rogue
APs.The software is only supported by Windows.