Department of Master Computer Applications

MC581- Ethical Hacking

Network Scanning using Open-Source Tools

Student Name: Tanuj Rajput Sem: 2 UCID: 2020510054 Date: 20-9-2021

Objective: Scan the network to identify open ports, OS detection, service scanning and
vulnerability scanning.

Outcomes:
1. To install and use network scanner (nmap)
2. To explore various scanning mechanisms.
3. To enumerate the open ports and identify vulnerable services.
4. To detect the operating system and associated vulnerability
5. To identify the exploit with respect to vulnerable services.
System Requirements:
3 workstations installed with Kali Linux/Fedora Linux Core/Ubuntu and Windows XP
Nmap, nmapfe, zenmap etc

Procedure:
NMAP: Network exploration tool and security/port scanner
Description:
Nmap is short for Network Mapper. It is an open-source security tool for network
exploration, security scanning, and auditing.

Install nmap:
$sudo apt-get install nmap
$sudo apt-get install nmapfe
$sudo apt-get install zenmap

Usage:
Refer manaul page of nmap
$man nmap
To quit from manual page press q button of keyboard

Ethical Hacking Page 1

 Department of Master Computer Applications

1: Scan a single host or an IP address (IPv4)

$sudo nmap 192.168.1.1

Scan a host name with more info

$sudo nmap -v servername

Short analysis:
Nmap (“Network Mapper”) is an open source tool for network exploration and security
auditing. It was designed to rapidly scan large networks, although it works fine against
single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are
available on the network, what services (application name and version) those hosts are
offering, what operating systems (and OS versions) they are running, what type of
packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is
commonly used for security audits, many systems and network administrators find it
useful for routine tasks such as network inventory, managing service upgrade
schedules, and monitoring host or service uptime

Ethical Hacking Page 2

 Department of Master Computer Applications

2. Scan multiple IP address or subnet (IPv4)

$sudo nmap 192.168.1.1 192.168.56.103

$sudo nmap 192.168.1.1,2,3

You can scan a range of IP address too:

$sudo nmap 192.168.1.1-20

Ethical Hacking Page 3

 Department of Master Computer Applications

Ethical Hacking Page 4

 Department of Master Computer Applications

You can scan a range of IP address using a wildcard:

$sudo nmap 192.168.1.*

Finally, you scan an entire subnet:

$sudo nmap 192.168.1.0/24

Ethical Hacking Page 5

 Department of Master Computer Applications

Short analysis:
Multiple ways to perform nmap are performed.

3: Read list of hosts/networks from a file (IPv4)

The -iL option allows you to read the list of target systems using a text file. This is useful to
scan a large number of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt
Sample outputs:
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost
The syntax is:

Ethical Hacking Page 6

 Department of Master Computer Applications

$sudo nmap -iL /tmp/test.txt

Short analysis:
we have saved a txt file in a directory and iL command helps to scan the ip from there
and perform nmap in it.

4: Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts from a scan:
$sudo nmap 192.168.1.0/24 --exclude 192.168.1.5
$sudo nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254
OR exclude list from a file called /tmp/exclude.txt
$sudo nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt

Short analysis:
This commands help exclude particular ip addresses nd perform nmap on the rest of the
addresses from the given list.

Ethical Hacking Page 7

 Department of Master Computer Applications

5: Turn on OS and version detection scanning script (IPv4)

$sudo nmap -A 192.168.1.37

$sudo nmap -v -A 192.168.1.37

Short analysis:
These commands helps get information about OS detection. scans every information about
the address provided along with other information like name,netbios etc.

Ethical Hacking Page 8

 Department of Master Computer Applications

6: Find out if a host/network is protected by a firewall

$sudo nmap -sA 192.168.1.37

7: Scan a host when protected by the firewall

$sudo nmap -PN 192.168.1.37

$sudo nmap -PN server1

Ethical Hacking Page 9

 Department of Master Computer Applications

8: Scan a network and find out which servers and devices are up and running
This is known as host discovery or ping scan:
$sudo nmap -sP 192.168.1.0/24

9: How do I perform a fast scan?

$sudo nmap -F 192.168.1.1

Short analysis:
If you need to perform a scan quickly, you can use the “-F” flag. The “-F” flag will list ports
on the nmap-services files. Because the -F “Fast Scan” flag does not scan as many ports, it
isn't as thorough

10: Display the reason a port is in a particular state

$sudo nmap --reason 192.168.1.1

Ethical Hacking Page 10

 Department of Master Computer Applications

$sudo nmap --reason server1

Short analysis: Nmap output indicates whether a host is up or not, but does not describe the
discovery tests that the host responded to. It can be useful to understand the reason why a port
is marked as open, closed, or filtered and why the host is marked as alive.

11: Only show open (or possibly open) ports

$sudo nmap --open 192.168.56.102

$sudo nmap --open server1

Short analysis: --open to only see hosts with at least one open , open|filtered , or unfiltered
port, and only see ports in those states.

Ethical Hacking Page 11

 Department of Master Computer Applications

12: Show all packets sent and received

$sudo nmap --packet-trace 192.168.1.1

$sudo nmap --packet-trace server1

Short analysis:

To find the identify particular vulnerability for further exploit

$sudo nmap -sT -A --script=smb-check-vulns -Pn --script-args=unsafe=1 192.168.56.103
Or
$sudo nmap -n -sV 192.168.56.103

Short analysis:

Analyis of nmap scan results

Refer:Nmap Scan to CSV (R3)
https://laconicwolf.com/2018/02/04/nmap-scan-csv/
Nmap results save as xml
$nmap -xO nmap_scan.xml -sT ....

Converting nmap_scan.xml to nmap_scan.csv is simple:

$python3 nmap_xml_parser.py -f nmap_scan.xml -csv nmap_scan.csv

Ethical Hacking Page 12

 Department of Master Computer Applications

References:
https://insecure.org/
Additional document
https://laconicwolf.com/2018/02/04/nmap-scan-csv/
Conclusion:
Network scanning provides information about the target, which is valuable regardless
of whether you're trying to attack the network or protect it from attack. While
performing a basic scan Nmap provides a wide array of options to tweak your scan
to achieve the best results. These features can make scans more accurate, less
likely to be detected, and faster to complete. Nmap's huge list of features and solid
implementation make it the go-to scanner for most scans.

Additional Document
Nmap Target Selection
Scan a single IP
Scan a host
Scan a range of IPs
Scan a subnet
Scan targets from a text file
nmap 192.168.1.1
nmap www.test.com
nmap 192.168.1.1-20
nmap 192.168.1.0/24
nmap -iL list-of-ips.txt

These are all default scans, which will scan 1000 TCP ports. Host discovery will take place.

Nmap Port Selection

Scan a single Port
Scan a range of ports
Scan 100 most common ports
(Fast)
Scan all 65535 ports
nmap -p 22 192.168.1.1
nmap -p 1-100 192.168.1.1
nmap -F 192.168.1.1
nmap -p- 192.168.1.1

Nmap Port Scan types

Scan using TCP connect nmap -sT 192.168.1.1
Scan using TCP SYN scan
nmap -sS 192.168.1.1
(default)
Scan UDP ports nmap -sU -p 123,161,162 192.168.1.1
Scan selected ports - ignore
nmap -Pn -F 192.168.1.1
discovery

Ethical Hacking Page 13

 Department of Master Computer Applications

Privileged access is required to perform the default SYN scans. If privileges are insufficient a
TCP connect scan will be used. A TCP connect requires a full TCP connection to be
established and therefore is a slower scan. Ignoring discovery is often required as many
firewalls or hosts will not respond to PING, so could be missed unless you select the -Pn
parameter. Of course this can make scan times much longer as you could end up sending scan
probes to hosts that are not there.

Service and OS Detection

Detect OS and Services nmap -A 192.168.1.1
Standard service detection nmap -sV 192.168.1.1
More aggressive Service
nmap -sV --version-intensity 5 192.168.1.1
Detection
Lighter banner grabbing
nmap -sV --version-intensity 0 192.168.1.1
detection

Service and OS detection rely on different methods to determine the operating system or
service running on a particular port. The more aggressive service detection is often helpful if
there are services running on unusual ports. On the other hand the lighter version of the
service will be much faster as it does not really attempt to detect the service simply grabbing
the banner of the open service.

Nmap Output Formats

Save default output to file nmap -oN outputfile.txt 192.168.1.1
Save results as XML nmap -oX outputfile.xml 192.168.1.1
Save results in a format for grep nmap -oG outputfile.txt 192.168.1.1
Save in all formats nmap -oA outputfile 192.168.1.1

The default format could also be saved to a file using a simple file redirect command > file.
Using the -oN option allows the results to be saved but also can be monitored in the terminal
as the scan is under way.

Digging deeper with NSE Scripts

Scan using default safe scripts nmap -sV -sC 192.168.1.1

Ethical Hacking Page 14

 Department of Master Computer Applications

Get help for a script nmap --script-help=ssl-heartbleed

nmap -sV -p 443 –script=ssl-heartbleed.nse
Scan using a specific NSE script
192.168.1.1
Scan with a set of scripts nmap -sV --script=smb* 192.168.1.1

According to my Nmap install there are currently 471 NSE scripts. The scripts are able to
perform a wide range of security related testing and discovery functions. If you are serious
about your network scanning you really should take the time to get familiar with some of
them.

The option --script-help=$scriptname will display help for the individual scripts. To get an
easy list of the installed scripts try locate nse | grep script.

You will notice I have used the -sV service detection parameter. Generally most NSE scripts
will be more effective and you will get better coverage by including service detection.

A scan to search for DDOS reflection UDP services

Scan for UDP DDOS nmap –sU –A –PN –n –pU:19,53,123,161 –script=ntp-
reflectors monlist,dns-recursion,snmp-sysdescr 192.168.1.0/24

UDP based DDOS reflection attacks are a common problem that network defenders come up
against. This is a handy Nmap command that will scan a target list for systems with open
UDP services that allow these attacks to take place. Full details of the command and the
background can be found on the Sans Institute Blog where it was first posted.

HTTP Service Information

Gather page titles from
nmap --script=http-title 192.168.1.0/24
HTTP services
Get HTTP headers of
nmap --script=http-headers 192.168.1.0/24
web services
Find web apps from
nmap --script=http-enum 192.168.1.0/24
known paths

There are many HTTP information gathering scripts, here are a few that are simple but
helpful when examining larger networks. Helps in quickly identifying what the HTTP service
is that is running on the open port. Note the http-enum script is particularly noisy. It is similar
to Nikto in that it will attempt to enumerate known paths of web applications and scripts.
This will inevitably generated hundreds of 404 HTTP responses in the web server error and
access logs.

Ethical Hacking Page 15

 Department of Master Computer Applications

Detect Heartbleed SSL Vulnerability

Heartbleed Testing nmap -sV -p 443 --script=ssl-heartbleed 192.168.1.0/24

Heartbleed detection is one of the available SSL scripts. It will detect the presence of the well
known Heartbleed vulnerability in SSL services. Specify alternative ports to test SSL on mail
and other protocols (Requires Nmap 6.46).

IP Address information
Find Information nmap --script=asn-query,whois,ip-geolocation-maxmind
about IP address 192.168.1.0/24

Gather information related to the IP address and netblock owner of the IP address. Uses ASN,
whois and geoip location lookups.

Remote Scanning

Depending on network perimeter you are scanning remember scanning Internet resources
from an external perspective is key when assessing your exposure.

Wireless Network Scanning Tools:

Kismet:

Ethical Hacking Page 16

 Department of Master Computer Applications

It is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless
intrusion detection) framework.

NetStumbler:
Netstumbler is the best known Windows tool for finding open wireless access points
("wardriving"). They also distribute a WinCE version for PDAs and such named
MiniStumbler. The tool is currently free but Windows-only and no source code is provided. It
uses a more active approach to finding WAPs than passive sniffers such as Kismet or
KisMAC.

Wellenreiter:
Wellenreiter is a wireless network discovery and auditing tool. Prism2, Lucent, and Cisco
based cards are supported. It is the easiest to use Linux scanning tool. No card configuration
has to be done anymore. The whole look and feel is pretty self-explaining. It can discover
networks (BSS/IBSS), and detects ESSID broadcasting or non-broadcasting networks and
their WEP capabilities and the manufacturer automatically. DHCP and ARP traffic are
decoded and displayed to give you further information about the networks. An
ethereal/tcpdump-compatible dumpfile and an Application savefile will be automaticly
created. Using a supported GPS device and the gpsd you can track the location of the
discovered networks. NO!, hosap drivers actualy don't work in the perl version.

Aircrack-ng suite:
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and
WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any
wireless network interface controller whose driver supports raw monitoring mode and can
sniff 802.11a, 802.11b and 802.11g traffic.

InSSIder by MetaGeek

InSSIder is a WiFi scanner designed for small networks. It helps you optimize your WiFi
network for the best performance.The software can analyze your wireless network and alert
you if there is a better channel.
It can also help you troubleshoot bandwidth bottlenecks, pinpoint interference, and trouble
spots.InSSIder gives you an overview of the wireless networks within the coverage.
It includes their SSID, channel, and more information. It is also capable of detecting rogue
APs.The software is only supported by Windows.

Ethical Hacking Page 17

 Department of Master Computer Applications

Ethical Hacking Page 18