Scanning Networks - p.7

Lab 6

Exploring and Auditing a Network Using Nmap

N/nap (Zenmap is the official A',map GUI) is a free, open source (license) utilityfor netirork exploration and security auditing.

Lab Scenario

111 die previous lab you learned to use GFI LanGuard 2012 to scan a network to find out die vulnerability level, system patching status, details for open and closed ports, vulnerable computers, etc. A11 administrator and an attacker can use die same tools to fix or exploit a system. If an attacker gets to know all die information about vulnerable computers, diey will immediately act to compromise diose systems using
reconnaissance techniques. Therefore, as an administrator it is very important for you to patch diose systems
after you have determined all die vulnerabilities in a network, before the attacker audits die network to gain vulnerable information. Also, as an ethical hacker and network administrator for your company, your job is to carry out daily security tasks, such as network inventory, service upgrade schedules, and the monitoring of host or service uptime. So, you will be guided in diis lab to use Nmap to explore and audit a network.

Lab Objectives

Hie objective of diis lab is to help students learn and understand how to perform a network inventory, manage services and upgrades, schedule network tasks, and monitor host or service uptime and downtime.
hi diis lab, you need to:

■ Scan TCP and UDP ports
■ Analyze host details and dieir topology
■ Determine the types of packet filters

■ Record and save all scan reports
■ Compare saved results for suspicious ports

Lab Environment

To perform die lab, you need:

■ Nmap located at D:\CEH-Tools\CEHv8 Module 03 Scanning Networks\Scanning Tools\Nmap
■ You can also download the latest version of Nmap from the link http: / / nmap.org. /
■ If you decide to download die latest version, dien screenshots shown in die lab might differ
■ A computer running Windows Server 2012 as a host machine
■ Windows Server 2008 running on a virtual machine as a guest
■ A web browser widi Internet access
■ Administrative privileges to run die Nmap tool

Lab Duration

Time: 20 Minutes

Overview o f N etw ork Scanning

Network addresses are scanned to determine:

■ What services application names and versions diose hosts offer
■ What operating systems (and OS versions) diey run
■ The type of packet filters/firewalls that are in use and dozens o f odier characteristics

Lab Tasks

Follow the wizard-driven installation steps and install Nmap (Zenmap) scanner in die host machine (Window Server 2012).

1. Launch the Start menu by hovering die mouse cursor in the lower-left corner of the desktop

FIGURE 6.1: Windows Server 2012—Desktop view

2. Click the Nmap-Zenmap GUI app to open the Zenmap window

FIGURE 6.2 Windows Server 2012 - Apps

3. The Nmap - Zenmap GUI window appears

FIGURE 6.3: The Zenmap main window

4. Enter the virtual machine Windows Server 2008 IP address (10.0.0.4) in !1e j arge t: text field. You are performing a network inventory for the virtual machine
5. 111 this lab, die IP address would be 10.0.0.4; it will be different from your lab environment
6. 111 the Profile: text field, select, from the drop-down list, the type of profile you want to scan. 111 diis lab, select Intense Scan
7. Click Scan to start scantling the virtual machine.

FIGURE 6.4: The Zenmap main window with Target and Profile entered

8. Nmap scans the provided IP address with Intense scan and displays the scan result below the Nmap Output tab.

FIGURE 6.5: The Zenmap main window with the Nmap Output tab for Intense Scan

9. After the scan is complete, Nmap shows die scanned results

FIGURE 6.6: The Zenmap main window with the Nmap Output tab for Intense Scan

10. Click the Ports/Hosts tab to display more information on the scan results.
11. Nmap also displays die Port, Protocol, State. Service, and Version of the scan.

FIGURE 6.7: The Zenmap main window with the Ports/Hosts tab for Intense Scan

12. Click the Topology tab to view Nmap’s topology for the provided IP address in the Intense scan Profile.

FIGURE 6.8: The Zenmap main window with Topology tab fot Intense Scan

13. Click the Host Details tab to see die details o f all hosts discovered during the intense scan profile.

FIGURE 6.9: The Zenmap main window with Host Details tab for Intense Scan

14. Click the Scans tab to scan details for provided IP addresses.

FIGURE 6.10: The Zenmap main window with Scan tab for Intense Scan

15. Now, click the Services tab located in the right pane o f the window. This tab displays the list of services.
16. Click the http service to list all the HTTP Hostnames/lP addresses. Ports, and their s ta te s (Open/Closed).

FIGURE 6.11: The Zenmap main window with Services option for Intense Scan

17. Click the msrpc service to list all the Microsoft Windows RPC

FIGURE 6.12 The Zenmap main window with msrpc Service for Intense Scan

18. Click the netbios-ssn service to list all NetBIOS hostnames.

FIGURE 6.13: The Zenmap main window with netbios-ssn Service for Intense Scan

19. Xmas scan sends a TCP frame to a remote device with URG, ACK, RST, SYN, and FIN flags set. FIN scans only with OS TCP/IP developed according to RFC 793. The current version of Microsoft Windows is not supported.

20. Now, to perform a Xmas Scan, you need to create a new profile. Click Profile ־> New Profile or Command Ctrl+P

21. On the Profile tab, enter Xmas Scan in the Profile name text field.

FIGURE 6.15: The Zenmap Profile Editor window with the Profile tab

22. Click the Scan tab, and select Xmas Tree scan (־sX) from the TCP scans: drop-down list.

FIGURE 6.16: The Zenmap Profile Editor window with the Scan tab

23. Select None in die Non-TCP scans: drop-down list and Aggressive (־ T4) in the Timing template: list and click Save Changes

FIGURE 6.17: The Zenmap Profile Editor window with the Scan tab

24. Enter the IP address in die Target: field, select the Xmas scan opdon from the Profile: held and click Scan.

FIGURE 6.18: The Zenmap main window with Target and Profile entered

25. Nmap scans the target IP address provided and displays results on the Nmap Output tab.

FIGURE 6.19: The Zenmap main window with the Nmap Output tab

26. Click the Services tab located at the right side o f die pane. It displays all die services o f that host.

FIGURE 6.20: Zenmap Main window with Services Tab

27. Null scan works only if the operating system’s TCP/IP implementation is developed according to RFC 793.111 a 111111 scan, attackers send a TCP frame to a remote host with NO Flags.

28. To perform a 111111 scan for a target IP address, create a new profile. Click Profile ־> New Profile or Command Ctrl+P

FIGURE 6.21: The Zenmap main window with the New Profile or Command option

29. On die Profile tab, input a profile name Null Scan in the Profile name text field.

FIGURE 622: The Zenmap Profile Editor with the Profile tab

30. Click die Scan tab in the Profile Editor window. Now select the Null Scan (־sN) option from the TCP scan: drop-down list.

FIGURE 6.23: The Zenmap Profile Editor with the Scan tab

31. Select None from the Non-TCP scans: drop-down field and select Aggressive (-T4) from the Timing template: drop-down field.

32. Click Save Changes to save the newly created profile.

FIGURE 6.24: The Zenmap Profile Editor with the Scan tab

33. 111 the main window of Zenmap, enter die target IP address to scan, select the Null Scan profile from the Profile drop-down list, and then click Scan.

FIGURE 6.25: The Zenmap main window with Target and Profile entered

34. Nmap scans the target IP address provided and displays results in Nmap Output tab.

FIGURE 6.26: The Zenmap main window with the Nmap Output tab

35. Click the Host Details tab to view the details of hosts, such as Host Status, Addresses. Open Ports, and Closed Ports

FIGURE 627: ׳Hie Zenmap main window with the Host Details tab

36. Attackers send an ACK probe packet with a random sequence number. No response means the port is filtered and an RST response means die port is not filtered.

37. To perform an ACK Flag Scan for a target IP address, create a new profile. Click Profile ־> New Profile or Command Ctrl+P.

FIGURE 6.28: The Zenmap main window with the New Profile or Command option

38. On the Profile tab, input ACK Flag Scan in the Profile name text field

FIGURE 6.29: The Zenmap Profile Editor Window with the Profile tab

39. To select the parameters for an ACK scan, click the Scan tab in die Profile Editor window, select ACK scan (־sA) from the Non-TCP scans: drop-down list, and select None for all die other fields but leave the Targets: field empty.

FIGURE 6.30: The Zenmap Profile Editor window with the Scan tab

40. Now click the Ping tab and check IPProto probes (-PO) to probe the IP address, and then click Save Changes

FIGURE 6.31: The Zenmap Profile Editor window with the Pmg tab

41. 111 the Zenmap main window, input die IP address o f the target machine (in diis Lab: 10.0.0.3), select ACK Flag Scan from Profile: drop-down list, and then click Scan.

FIGURE 6.32: The Zenmap main window with the Target and Profile entered

42. Nmap scans die target IP address provided and displays results on Nmap Output tab.

FIGURE 6.33: The Zenmap main window with the Nmap Output tab

43. To view more details regarding the hosts, click die Host Details tab

FIGURE 6.34: The Zenmap main window with the Host Details tab

Lab Analysis

Document all die IP addresses, open and closed ports, sendees, and protocols you discovered during die lab.

Questions

1. Analyze and evaluate the results by scanning a target network using;

a. Stealth Scan (Half-open Scan)

b. nmap -P

2. Perform Inverse TCP Flag Scanning and analyze hosts and services for a target machine in die network.