21CY683 ‐Cybersecurity Lab Experiment–4 ‐ NMAP - archie-archana/Cyberlabs GitHub Wiki

NMAP

Nmap (Network Mapper) is a free and open-source network scanning tool used for discovering devices and services on computer networks, thus creating a "map" of the network. It's commonly used for security auditing and network inventory, among other purposes. Here are some key features and

functionalities of Nmap:

  • Host Discovery: Nmap can be used to discover hosts on a network by sending packets and analyzing responses to determine which hosts are online.

  • Port Scanning: It can perform various types of port scans to identify open ports and services running on target hosts. This helps in understanding the network topology and identifying potential security vulnerabilities.

  • Operating System Detection: Nmap has the capability to identify the operating systems running on target hosts based on subtle differences in network packet responses.

  • Service Version Detection: It can identify the versions of services running on open ports, helping to determine the specific software and potential vulnerabilities.

  • Scripting Engine: Nmap includes a powerful scripting engine (Nmap Scripting Engine or NSE) that allows users to write custom scripts to automate tasks, perform advanced network analysis, and extend Nmap's functionality.

  • Output Formats: Nmap supports various output formats, including plain text, XML, grepable output, and interactive output. This flexibility allows users to analyze scan results using different tools and workflows.

  • Flexible and Customizable: Nmap offers a wide range of options and parameters to customize scans according to specific requirements. Users can control scan intensity, timing, target specification, and other parameters to optimize scan results.

  • Integration with Other Tools: Nmap can be integrated with other security tools and frameworks, such as Metasploit, Wireshark, and Nessus, to provide comprehensive network reconnaissance and vulnerability assessment capabilities.

  • Community Support and Documentation: Nmap has a large and active user community, providing support, documentation, and resources for users of all skill levels. The official Nmap website and mailing lists are valuable resources for learning and troubleshooting.

image image image image


a) Explain the subnet and use the NMAP Command to scan the services for the whole subnet

Subnetting is the process of dividing a larger network into smaller, more manageable subnetworks or subnets. It allows network administrators to efficiently allocate IP addresses and control network traffic flow. Each subnet has its own unique network address and range of IP addresses.

When subnetting, you typically define a subnet mask, which determines the size of each subnet and the number of hosts it can accommodate. The subnet mask is used to divide the IP address into two parts: the network portion and the host portion. The network portion identifies the subnet, while the host portion identifies individual devices within the subnet

For example, consider the IP address 192.168.1.0 with a subnet mask of 255.255.255.0 (commonly represented as /24). This subnet mask indicates that the first 24 bits of the IP address represent the network portion, leaving 8 bits for the host portion. Therefore, this subnet can accommodate up to 2^8 - 2 = 254 hosts (minus 2 for the network address and broadcast address).

Enables Version Detection (-sV):

-sV enables service version detection, which involves probing open ports on the target host to determine the versions of services running on those ports. This helps in identifying specific software and potential vulnerabilities. image

-A Aggressive scan option:

  • Enables OS Detection (-O): -O instructs Nmap to attempt to identify the operating system of the target host by analyzing various network responses. This helps in understanding the target environment and tailoring further attacks or scans.

  • Enables Version Detection (-sV): -sV enables service version detection, which involves probing open ports on the target host to determine the versions of services running on those ports. This helps in identifying specific software and potential vulnerabilities.

  • Enables Script Scanning (-sC): -sC activates the default set of Nmap scripts, known as NSE (Nmap Scripting Engine) scripts, which perform a variety of tasks such as detecting common vulnerabilities, retrieving additional information, and performing additional enumeration.

  • Traceroute and Hop Limit Control (--traceroute): --traceroute instructs Nmap to perform a traceroute to the target host(s) to determine the network path and identify routers or gateways between the source and destination. This option also allows you to control the maximum number of hops to prevent excessive network traversal.

image

image


##b) What is a firewall and mention its types. Use the NMAP command to detect that a firewall protects the host.

A firewall is a network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet, to prevent unauthorized access and protect against various security threats.

Types of Firewalls:

  • Packet Filtering Firewall:

Packet filtering firewalls operate at the network layer (Layer 3) of the OSI model. They inspect individual packets of data as they pass through the firewall and make filtering decisions based on predefined rules. Filtering criteria typically include source and destination IP addresses, port numbers, and protocols. Packet filtering firewalls are often implemented using access control lists (ACLs) on routers or dedicated firewall devices. Stateful Inspection Firewall:

  • Stateful inspection firewalls combine the capabilities of packet filtering and session tracking. They maintain a stateful table of active connections and dynamically track the state of network sessions. Stateful inspection firewalls make filtering decisions based on the context of the entire communication session, not just individual packets. This approach provides better security and performance compared to traditional packet filtering firewalls. Proxy Firewall:

  • Proxy firewalls act as intermediaries between internal and external networks. They intercept and inspect incoming and outgoing network traffic on behalf of the internal network. Proxy firewalls terminate and initiate new network connections on behalf of clients, hiding internal IP addresses and providing additional security features such as content filtering and application-layer inspection. Next-Generation Firewall (NGFW):

  • Next-generation firewalls integrate advanced security features beyond traditional packet filtering and stateful inspection. They incorporate capabilities such as application-layer inspection, intrusion prevention, deep packet inspection, and threat intelligence integration. NGFWs provide enhanced visibility, control, and protection against modern security threats and advanced attack vectors.

Determining Firewall Rules

The first step toward bypassing firewall rules is to understand them. Where possible, Nmap distinguishes between ports that are reachable but closed, and those that are actively filtered. An effective technique is to start with a normal SYN port scan, then move on to more exotic techniques such as ACK scan and IP ID sequencing to gain a better understanding of the network.

Standard SYN Scan One helpful feature of the TCP protocol is that systems are required by RFC 793 to send a negative response to unexpected connection requests in the form of a TCP RST (reset) packet. The RST packet makes closed ports easy for Nmap to recognize. Filtering devices such as firewalls, on the other hand, tend to drop packets destined for disallowed ports. In some cases they send ICMP error messages (usually port unreachable) instead. Because dropped packets and ICMP errors are easily distinguishable from RST packets, Nmap can reliably detect filtered TCP ports from open or closed ones, and it does so automatically.

image

image

ports are blocked

image


c) Use the NMAP command to scan a network and determine which devices are running.

To scan a network we scould use ping scan with ip and subnet.

-sn: This option specifies a ping scan, also known as a host discovery scan. Nmap sends ICMP echo request packets (ping) to the target network's IP addresses and analyzes the responses to determine which hosts are online.

image

This command will send ICMP echo request packets to all IP addresses in the 192.168.131.128/24 subnet and identify which hosts are online based on their responses. It provides a list of IP addresses along with their corresponding status (up or down), allowing you to determine which devices are active on the network.

Wireshark capture: image


d) What are vertical and horizontal scanning?

Vertical Scanning:

  • Vertical scanning, also known as depth-first scanning, involves probing a single target or a small set of targets comprehensively and exhaustively.
  • In vertical scanning, the focus is on gathering detailed information about a specific target, such as an individual host, server, or network device.
  • This approach typically involves conducting in-depth port scans, service version detection, operating system fingerprinting, vulnerability assessment, and other detailed reconnaissance techniques.
  • Vertical scanning is useful for conducting targeted assessments, penetration testing, and vulnerability analysis on specific assets within a network.
  • The goal of vertical scanning is to gain a deep understanding of the target's security posture, identify potential vulnerabilities, and assess the effectiveness of security controls and defenses.

cmd : -sV: This option enables service version detection, which involves probing open ports on the target host(s) to determine the versions of services running on those ports.

Horizontal Scanning:

Horizontal scanning, also known as breadth-first scanning, involves probing a wide range of targets or a large network space systematically and rapidly.

  • In horizontal scanning, the focus is on identifying and cataloging a large number of hosts, servers, or network devices across an entire network or subnet.
  • This approach typically involves performing fast host discovery scans, such as ping scans or ARP scans, to identify active hosts, followed by basic port scans to identify open ports and services.
  • Horizontal scanning is useful for network mapping, inventory management, asset discovery, and initial reconnaissance to identify potential targets for further analysis or exploitation.
  • The goal of horizontal scanning is to create an inventory of network assets, identify potential entry points or attack surfaces, and prioritize targets for further investigation or exploitation.

cmd : -sn: This option specifies a ping scan, also known as host discovery scan. It sends ICMP echo request packets (pings) to the target network's IP addresses and analyzes the responses to determine which hosts are online without performing port scanning.


e) Use the NMAP command to scan multiple hosts

hosts.txt contains the IP addresses or hostnames of the targets, each on a separate line.

image

-iL : This option tells Nmap to read the list of target hosts from the specified file. Replace with the name of the file containing the list of hosts.

image


f) Use NMAP commands to export the output in XML format.

exporting output as .xml file

image

image


g) Use the NMAP command to getOS information about a host.

Operating System (OS) information about a host using Nmap, you can use the -O option in your Nmap command

OS detection enables some other tests which make use of information that is gathered during the process anyway. One of these is TCP Sequence Predictability Classification. This measures approximately how hard it is to establish a forged TCP connection against the remote host. It is useful for exploiting source-IP based trust relationships (rlogin, firewall filters, etc) or for hiding the source of an attack

options:

-O (Enable OS detection) Enables OS detection, as discussed above. Alternatively, you can use -A to enable OS detection along with other things.

image

--osscan-limit (Limit OS detection to promising targets) OS detection is far more effective if at least one open and one closed TCP port are found. Set this option and Nmap will not even try OS detection against hosts that do not meet this criteria. This can save substantial time, particularly on -Pn scans against many hosts. It only matters when OS detection is requested with -O or -A. image

--osscan-guess; --fuzzy (Guess OS detection results) When Nmap is unable to detect a perfect OS match, it sometimes offers up near-matches as possibilities. The match has to be very close for Nmap to do this by default. Either of these (equivalent) options make Nmap guess more aggressively. Nmap will still tell you when an imperfect match is printed and display its confidence level (percentage) for each guess. image

--max-os-tries (Set the maximum number of OS detection tries against a target) When Nmap performs OS detection against a target and fails to find a perfect match, it usually repeats the attempt. By default, Nmap tries five times if conditions are favorable for OS fingerprint submission, and twice when conditions aren't so good. Specifying a lower --max-os-tries value (such as 1) speeds Nmap up, though you miss out on retries which could potentially identify the OS. Alternatively, a high value may be set to allow even more retries when conditions are favorable. This is rarely done, except to generate better fingerprints for submission and integration into the Nmap OS database.

image


h) Explain ping sweeping and Perform ping sweeping using Nmap

Ping sweeping, also known as ICMP echo request scanning or host discovery scanning, is a technique used to identify active hosts within a network. It involves sending ICMP echo request packets (pings) to a range of IP addresses and analyzing the responses to determine which hosts are online.

The ICMP echo request (ping) is a network diagnostic tool used to check the reachability of a host on an IP network. When a host receives an ICMP echo request packet, it typically responds with an ICMP echo reply packet if it's online and reachable.

Ping sweeping is commonly used as the initial step in network reconnaissance to identify active hosts before performing further scans, such as port scanning or vulnerability assessment. It's a quick and non-intrusive way to gather information about the network topology and identify potential targets for further analysis.

image


What is a web application firewall? How do you use Nmap to detect a WAF? Perform WAF fingerprint detection using NMAP.

A Web Application Firewall (WAF) is a security solution designed to protect web applications from various attacks, such as cross-site scripting (XSS), SQL injection, and other common web application vulnerabilities. It sits between the web application and the client, inspecting HTTP traffic and filtering out malicious requests or payloads before they reach the application server.

A WAF operates by analyzing HTTP requests and responses, applying predefined security rules or policies to identify and block suspicious or malicious traffic. It can also provide additional security features, such as content filtering, bot mitigation, and protection against application-layer attacks.

image


What is EXIF data? Tryto find EXIF data of images on a website using NMAP NSE.

EXIF (Exchangeable Image File Format) data is a standard for storing metadata in image files, commonly used by digital cameras and smartphones. This metadata contains information about the image itself, such as the camera settings used to capture the image, the date and time the image was taken, GPS coordinates, and other technical details. image


Use NMAP NSE to find all subdomains of the website

This script performs DNS brute force enumeration to discover subdomains by querying common subdomain names against the DNS server.

image

image Nmap will perform DNS brute force enumeration against the DNS server associated with google.com, attempting to discover subdomains by querying common subdomain names.


Perform a vulnerability scan on the target host using NMAP NSE

These scripts can identify potential security vulnerabilities in services running on the target host

image

image

image

⚠️ **GitHub.com Fallback** ⚠️