The purpose of this lab is to become familiar with a port mapper (nmap) and a vulnerability scanner (Nessus), and to see how they can be used as part of system administration to prevent and respond to network-based attacks. Unlike packet sniffers and IDSs, network port mappers and vulnerability scanners are active rather than passive devices.
Only use these tools on IP addresses you've been authorized to scan. Make sure to follow all rules and guidelines for ethical security practices.
For this lab, you are only authorized to scan the following IP address range:
172.17.200.60 to 172.17.200.89This is the IP address range for the machines in Rm 315. You can also scan the VMware IP addresses on your specific machine in Rm 315. You can find the VMware IP addresses by starting a Terminal on the CS340 desktop and running the commands:
/sbin/ifconfig vmnet1
/sbin/ifconfig vmnet8
DO NOT scan any other IP addresses during this lab.
+ by investigators to check for the "unlocked doors" after a crime has been committed
+ by sysadmins as a security audit tool for crime prevention
+ by criminals for network reconnaissance
Nmap attempts to find a list of active hosts (IP addresses) and a list of
active servers on those hosts (ports) from the given input. For active hosts,
Nmap returns 6 port states:
open, closed, filtered, unfiltered, open|filtered, closed|filtered
/etc/inetd.conf controls closed/open state of many common network servers. Some servers, like Apache and SSHD, might be controlled by their own startup scripts in /etc/init.d instead of by inetd.
How detecting the state works:
TCP SYN scan (Nmap default):
The scanner sends a SYN (synchronization, e.g. connection request) TCP packet to the victim.
The victim's response will determine the port state.
Port State Victim's Response
========== ==============================================
closed RST (reset) TCP packet
open SYN or SYN/ACK (accept requested connection) TCP packet
filtered ICMP host/port/protocol unreachable
filtered ICMP network/host/communication administratively prohibited
filtered no response received
UDP scan:
The scanner sends a UDP packet to the victim.
Port State Victim's Response
========== ==============================================
closed ICMP port unreachable
open send another UDP packet in reply
filtered ICMP host/protocol unreachable
filtered ICMP network/host/communication administratively prohibited
open|filtered no response received
TCP ACK scan:
The scanner sends an ACK (acknowledgement) TCP packet to the victim.
Port State Victim's Response
========== ==============================================
unfiltered RST TCP packet
filtered ICMP host/port/protocol unreachable
filtered ICMP network/host/communication administratively prohibited
filtered no response received
TCP Idle scan:
The scanner probes a zombie host to determine its IP fragmentation ID (IP ID)
The scanner sends a packet spoofed as coming from the zombie host to the victim.
The scanner probes the zombie host again to determine its IP ID.
Port State Difference between original IP ID and reprobed IP ID
========== ==============================================
closed|filtered Exactly 1 (victim sent zombie RST and zombie ignored it)
open Exactly 2 (victim sent zombie SYN/ACK and zombie sent victim RST)
Any other difference means the scan did not work.
Read through this sample Nmap log. This log was generated by scanning sumatra (before its untimely demise) with the following Nmap options:
nmap -A -T4 sumatra.cs.csubak.edu
Do NOT try this scan yourself since it is not part of the allowed scan
range (and Sumatra is now a dead machine).
Start your Etch virtual machine, log in as student and sudo to root for this portion of the lab. Nmap should already be installed on Etch. If you run into any issues accessing the network, edit your Etch virtual machine to use NAT networking mode instead of bridged networking mode.
Refer to the nmap man page and basic scanning techniques for additional help.
One of the most useful activities with nmap and often the first you will do is to perform host discovery. The following command will try to find all the hosts powered on in Rm 315. (It may fail if the Cisco switch decides to block the port scanning.)
Question 1 - How many machines are discovered when you run the following command?
nmap -PS 172.17.200.60-89
The most reliable machines to scan will be your host machine and your Windows virtual machine, as the Cisco switch can't block packets being sent within your machine. So start your Windows virtual machine, but don't log in to it. Just leave it running as another host to scan.
Determine the IP address of your VMware network by checking for the IP address of vmnet8 on the CS340 desktop or by checking for the IP address of eth0 on Etch, e.g.:
/sbin/ifconfig eth0
For example, if the output says the IP address is 172.16.70.5 and the
netmask is 255.255.255.0, then then IP netblock for your VMware installation
would be 172.16.70.0/24.
Question 2 - What is the IP netblock for your VMware installation?
In the next portion of the lab you will run an nmap scan against the virtual computers in your VMware private network or other machines as specified. Replace 172.16.70.0/24 with the answer you just gave for Question 1.
Question 3 - Run the following command. What does it do?
nmap -sP 172.16.70.0/24
Question 4 - Run the following command. What does it do?
nmap -O 172.16.70.0/24
Question 5 - Click over to your Windows machine and log in. Open
cmd.exe and type
ipconfigReplace 172.16.70.10 in the following command with the actual IP address that ipconfig returns.
Run the following command. What open ports does it list on your Windows machine?
nmap -A 172.16.70.10