Overview

The goal of this lab was to work with bash scripts, nmap, and wireshark to better understand how port scanning works as a form of reconnaissance for penetration testing.

Useful Commands and Instructions

The first resource to reference is the lightly customized script found in my code. It was amazing how subtle changes made such a difference is the level of user-friendliness, since I prefer prompts as opposed to inferred syntax when dealing with scripts. Changing the .csv output format to a colon for the delimeter also made the information more logical, since it now formats the ports as they would be in a human context.

nmap and Wireshark

nmap and wireshark played significant roles in this lab, and below are some of the relevant commands and what they do:

tcp.port == [PORTNUM]

The Wireshark filter above is excellent at weeding out all the extra noise when looking at nmap results. This syntax can be adjusted for UDP too.

sudo nmap  10.0.5.31 -p 3389

The command above runs nmap in a more stealthy form (by default when running this as a sudoer) and the -p flag focuses on a specific port. In the context of this lab, we first ran a general nmap scan to identify the open ports--this scan helps provide us with a more focused output. Before this, our portscanner.sh script was used to run nmap against our list of identified hosts and various common ports.

Another helpful note surrounding nmap: the -Pn flag/switch/option is used to disable host discovery, therefore it conducts port scans only.

nmap Resource

Here's a cleanly organized reference to better understand how nmap switches work.

Troubleshooting/Reflection

I had to conduct multiple iterations of trial and error when editing the bash script--once I found the proper syntax to set up the output display properly (simply replacing the comma with a colon and testing it), I needed to determine how to change the input. Although adding parameters right after calling the bash script is convenient to the more knowledgeable programmer, I wanted to adjust the input so that someone who doesn't see the inner workings of the script could reasonably utilize the simple tool. I researched the proper syntax to prompt the user in bash, and then applied my findings to the code, swapping out the parameter pointers for inputs that were recognized as variables.

To filter out the swath of information in Wireshark, I had recalled my previous experiences with the tool. Port filtering has proven to be one of the most effective ways to weed out unnecessary information, so I used this strategy to locate the important packets. It was also helpful to utilize the color coding that Wireshark has for the flagged packets. I prefer to use it as a last resort, but it has its uses.

Questions & Misc.

N/A