gauravt

Nmap Works Almora

Dec 4th, 2021
937
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Explore Various Network Scanning Techniques using Nmap
  2. Nmap comes with various inbuilt scripts that can be employed during a scanning process in an attempt to find the open ports and services running on the ports. It sends specially crafted packets to the target host, and then analyzes the responses to accomplish its goal. Nmap includes many port scanning mechanisms (TCP and UDP), OS detection, version detection, ping sweeps, etc.
  3.  
  4. Here, we will use Nmap to discover open ports and services running on the live hosts in the target network.
  5.  
  6. In the Windows 10 machine, navigate to the Desktop and double-click Nmap - Zenmap GUI shortcut.
  7.  
  8. 222.png
  9.  
  10. The Nmap - Zenmap GUI appears; in the Command field, type the command nmap -sT -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.
  11.  
  12. -sT: performs the TCP connect/full open scan and -v: enables the verbose output (include all hosts and ports in the output).
  13.  
  14. The scan results appear, displaying all the open TCP ports and services running on the target machine, as shown in the screenshot.
  15.  
  16. TCP connect scan completes a three-way handshake with the target machine. In the TCP three-way handshake, the client sends a SYN packet, which the recipient acknowledges with the SYN+ACK packet. In turn, the client acknowledges the SYN+ACK packet with an ACK packet to complete the connection. Once the handshake is completed, the client sends an RST packet to end the connection.
  17.  
  18. Screenshot
  19.  
  20. Click the Ports/Hosts tab to gather more information on the scan results. Nmap displays the Port, Protocol, State, Service, and Version of the scan.
  21.  
  22. Screenshot
  23.  
  24. Click the Topology tab to view the topology of the target network that contains the provided IP address and click the Fisheye option to view the topology clearly.
  25.  
  26. Screenshot
  27.  
  28. In the same way, click the Host Details tab to view the details of the TCP connect scan.
  29.  
  30. Click the Scans tab to view the command used to perform TCP connect/full open scan.
  31.  
  32. Click the Services tab located in the right pane of the window. This tab displays a list of services.
  33.  
  34. You can use any of these services and their open ports to enter into the target network/host and establish a connection.
  35.  
  36. In this lab, we shall be performing a stealth scan/TCP half-open scan, Xmas scan, TCP Maimon scan, and ACK flag probe scan on a firewall-enabled machine (i.e., Windows Server 2016) in order to observe the result. To do this, we need to enable Windows Firewall in the Windows Server 2016 machine.
  37.  
  38. Click Windows Server 2016 to switch to the Windows Server 2016 machine.
  39.  
  40. Click Ctrl+Alt+Delete to activate the machine. By default, Administration user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.
  41.  
  42. Alternatively, you can also click Pa$$w0rd under Windows Server 2016 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.
  43.  
  44. Screenshot
  45.  
  46. Navigate to Control Panel --> System and Security --> Windows Firewall --> Turn Windows Firewall on or off, enable Windows Firewall and click OK, as shown in the screenshot.
  47.  
  48. Screenshot
  49.  
  50. Now, click Windows 10 switch to the Windows 10 machine. In the Command field of Zenmap, type the command nmap -sS -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.
  51.  
  52. -sS: performs the stealth scan/TCP half-open scan and -v: enables the verbose output (include all hosts and ports in the output).
  53.  
  54. The scan results appear, displaying all open TCP ports and services running on the target machine, as shown in the screenshot.
  55.  
  56. The stealth scan involves resetting the TCP connection between the client and server abruptly before completion of three-way handshake signals, and hence leaving the connection half-open. This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic.
  57.  
  58. Screenshot
  59.  
  60. As shown in the last task, you can gather detailed information from the scan result in the Ports/Hosts, Topology, Host Details, and Scan tab.
  61.  
  62. In the Command field of Zenmap, type the command nmap -sX -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.
  63.  
  64. -sX: performs the Xmas scan and -v: enables the verbose output (include all hosts and ports in the output).
  65.  
  66. The scan results appear, displaying that the ports are either open or filtered on the target machine, which means a firewall has been configured on the target machine.
  67.  
  68. Xmas scan sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST.
  69.  
  70. Screenshot
  71.  
  72. In the Command field, type the command nmap -sM -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.
  73.  
  74. -sM: performs the TCP Maimon scan and -v: enables the verbose output (include all hosts and ports in the output).
  75.  
  76. The scan results appear, displaying either the ports are open/filtered on the target machine, which means a firewall has been configured on the target machine.
  77.  
  78. In the TCP Maimon scan, a FIN/ACK probe is sent to the target; if there is no response, then the port is Open|Filtered, but if the RST packet is sent as a response, then the port is closed.
  79.  
  80. Screenshot
  81.  
  82. In the Command field, type the command nmap -sA -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.
  83.  
  84. -sA: performs the ACK flag probe scan and -v: enables the verbose output (include all hosts and ports in the output).
  85.  
  86. The scan results appear, displaying that the ports are unfiltered on the target machine, as shown in the screenshot.
  87.  
  88. The ACK flag probe scan sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered.
  89.  
  90. Screenshot
  91.  
  92. Now, click Windows Server 2016 to switch to the Windows Server 2016 machine.
  93.  
  94. If you are logged out of the Windows Server 2016 machine, then click Ctrl+Alt+Delete to activate the machine. By default, Administration user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.
  95.  
  96. Alternatively, you can also click Pa$$w0rd under Windows Server 2016 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.
  97.  
  98. Turn off the Windows Firewall from Control Panel.
  99.  
  100. Screenshot
  101.  
  102. Now, click Windows 10 to return to the Windows 10 machine. In the Command field, type the command nmap -sU -v [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.
  103.  
  104. -sU: performs the UDP scan and -v: enables the verbose output (include all hosts and ports in the output).
  105.  
  106. The scan results appear, displaying all open UDP ports and services running on the target machine, as shown in the screenshot.
  107.  
  108. This scan will take approximately 20 minutes to finish the scanning process and the results might differ in your lab environment.
  109.  
  110. The UDP scan uses UDP protocol instead of the TCP. There is no three-way handshake for the UDP scan. It sends UDP packets to the target host; no response means that the port is open. If the port is closed, an ICMP port unreachable message is received.
  111.  
  112. Screenshot
  113.  
  114. Close the Zenmap window.
  115.  
  116. You can create your scan profile, or you can also choose the default scan profiles available in Nmap to scan a network.
  117.  
  118. Double-click the Nmap - Zenmap GUI shortcut from Desktop to launch Nmap.
  119.  
  120. To choose the default scan profiles available in Nmap, click on the drop-down icon in the Profile field and select the scanning technique you want to use.
  121.  
  122. Screenshot
  123.  
  124. To create a scan profile; click Profile --> New Profile or Command.
  125.  
  126. If a User Account Control pop-up appears, click Yes.
  127.  
  128. Screenshot
  129.  
  130. The Profile Editor window appears. In the Profile tab, under the Profile Information section, input a profile name (here, Null Scan) into the Profile name field.
  131.  
  132. Screenshot
  133.  
  134. Now, click the Scan tab and select the scan option (here, Null scan (-sN)) from the TCP scan drop-down list.
  135.  
  136. Select None in the Non-TCP scans drop-down list and Aggressive (-T4) in the Timing template list. Ensure that the Enable all advanced/aggressive options (-A) checkbox is selected and click Save Changes, as shown in the screenshot.
  137.  
  138. Using this configuration, you are setting Nmap to perform a null scan with the time template as -T4 and all aggressive options enabled.
  139.  
  140. This will create a new profile, and will thus be added to the profile list.
  141.  
  142. Screenshot
  143.  
  144. In this task, we will be targeting the Ubuntu machine (10.10.10.9).
  145.  
  146. In the main window of Zenmap, enter the target IP address (here, 10.10.10.9) in the Target field to scan. Select the Null Scan profile, which you created from the Profile drop-down list, and then click Scan.
  147.  
  148. Screenshot
  149.  
  150. Nmap scans the target and displays results in the Nmap Output tab, as shown in the screenshot.
  151.  
  152. Screenshot
  153.  
  154. Apart from the aforementioned port scanning and service discovery techniques, you can also use the following scanning techniques to perform a port and service discovery on a target network using Nmap.
  155.  
  156. IDLE/IPID Header Scan: A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available.
  157.  
  158. # nmap -sI -v [target IP address]
  159.  
  160. SCTP INIT Scan: An INIT chunk is sent to the target host; an INIT+ACK chunk response implies that the port is open, and an ABORT Chunk response means that the port is closed.
  161.  
  162. # nmap -sY -v [target IP address]
  163.  
  164. SCTP COOKIE ECHO Scan: A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed.
  165.  
  166. # nmap -sZ -v [target IP address]
  167.  
  168. In the Command field, type the command nmap -sV [Target IP Address] (here, the target IP address is 10.10.10.16) and click Scan.
  169.  
  170. -sV: detects service versions.
  171.  
  172. The scan results appear, displaying that open ports and the version of services running on the ports, as shown in the screenshot.
  173.  
  174. Service version detection helps you to obtain information about the running services and their versions on a target system. Obtaining an accurate service version number allows you to determine which exploits the target system is vulnerable to.
  175.  
  176. Screenshot
  177.  
  178. In the Command field, type the command nmap -A [Target Subnet] (here, target subnet is 10.10.10.* ) and click Scan. By providing the “*(asterisk) wildcard, you can scan a whole subnet or IP range.
  179.  
  180. -A: enables aggressive scan. The aggressive scan option supports OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (--traceroute). You should not use -A against target networks without permission.
  181.  
  182. Nmap scans the entire network and displays information for all the hosts that were scanned, along with the open ports and services, device type, details of OS, etc. as shown in the screenshot.
  183.  
  184. Screenshot
  185.  
  186. Choose an IP address 10.10.10.16 from the list of hosts in the left-pane and click the Host Details tab. This tab displays information such as Host Status, Addresses, Operating System, Ports used, OS Classes, etc. associated with the selected host.
  187.  
  188. Screenshot
  189.  
  190. This concludes the demonstration of discovering target open ports, services, services versions, device type, OS details, etc. of the active hosts in the target network using various scanning techniques of Nmap.
  191.  
  192. Close all open windows and document all the acquired information.
RAW Paste Data