Cyber Security 150130107071

Practical 1 : TCP scan using Nmap

Nmap (Network Mapper) is the most popular port scanner and network discovery tool
used.
Nmap is a free, open-source port scanner available for both UNIX and Windows. It has an
op onal graphical front-end, NmapFE, and supports a wide variety of scan types, each one
with different benefits and drawbacks.
Scanning, as a method for discovering exploitable communica on channels, has been
around for ages. The idea is to probe as many listeners as possible, and keep track of the
ones that are recep ve or useful to your par cular need.
Much of the field of adver sing is based on this paradigm, and the "to current resident"
brute force style of bulk mail is an almost perfect parallel to what we will discuss. Just s
ck a message in every mailbox and wait for the responses to trickle back.
Scanning entered the h/p world along with the phone systems. Here we have this
tremendous global telecommunica ons network, all reachable through codes on our
telephone. Millions of numbers are reachable locally, yet we may only be interested in
0.5% of these numbers, perhaps those that answer with a carrier.
The logical solu on to finding those numbers that interest us is to try them all. Thus the
field of "wardialing" arose. Excellent programs like Toneloc were developed to facilitate
the probing of en re exchanges and more.
The basic idea is simple. If you dial a number and your modem gives you a CONNECT, you
record it. Otherwise the computer hangs up and relessly dials the next one.
Standard scanning methods, such as vanilla and half-open SYN scanning, are extremely
simple direct techniques used to iden fy accessible TCP ports and services accurately.
These scanning methods are reliable but are easily logged and iden fied.
While wardialing is s ll useful, we are now finding that many of the computers we wish to
communicate with are connected through networks such as the Internet rather than
analog phone dialups.
Scanning these machines involves the same brute force technique. We send a blizzard of
packets for various protocols, and we deduce which services are listening from the
responses we receive (or don't receive).
TCP Port Scan with Nmap allows you to discover which TCP ports are open on your target
host.
Parameters for scanning in Nmap :-

Government Engineering College, Gandhinagar

Cyber Security 150130107071

Target : This is the hostname of IP address(es) to scan

Ports to scan Common : This op on tells Nmap to scan only the top 100 most
common TCP ports (Nmap -F).

Ports to scan Range : You can specify a range of ports to be scanned. Valid ports
are between 1 and 65535.

Ports to scan List : You can specify a comma separated list of ports to be scanned.

Detect service version : In this case Nmap will try to detect the version of the
service that is running on each open port. This is done using mul ple techniques
like banner grabbing, reading server headers and sending specific requests.

Detect opera ng system : If enabled, Nmap will try to determine the type and
version of the opera ng system that runs on the target host. The result is not
always 100% accurate, depending on the way the target responds to probe
requests.

Do traceroute : If enabled, Nmap will also do a traceroute to determine the path

packets take from our server to the target server, including the ip addresses of all
network nodes (routers).

Don't ping host: If enabled, Nmap will not try to see if the host is up before
scanning it (which is the default behavior). This op on is useful when the target
host does not respond to ICMP requests but it is actually up and it has open ports.

Fundamentally, an idle scan consists of three steps that are repeated for each port:
Probe the zombie's IP ID and record it.
Forge a SYN packet from the zombie and send it to the desired port on the target.
Depending on the port state, the target's reac on may or may not cause the
zombie's IP ID to be incremented.
Probe the zombie's IP ID again. The target port state is then determined by
comparing this new IP ID with the one recorded in step 1.

A er this process, the zombie's IP ID should have increased by either one or two. An
increase of one indicates that the zombie hasn't sent out any packets, except for its reply
to the a acker's probe.

This lack of sent packets means that the port is not open (the target must have sent the
zombie either a RST packet, which was ignored, or nothing at all). An increase of two
indicates that the zombie sent out a packet between the two probes.

Government Engineering College, Gandhinagar

Cyber Security 150130107071

This extra packet usually means that the port is open (the target presumably sent the
zombie a SYN/ACK packet in response to the forged SYN, which induced a RST packet from
the zombie). Increases larger than two usually signify a bad zombie host.

It might not have predictable IP ID numbers, or might be engaged in communica on

unrelated to the idle scan.
Even though what happens with a closed port is slightly different from what happens with
a filtered port, the a acker measures the same result in both cases, namely, an IP ID
increase of 1.
Therefore it is not possible for the idle scan to dis nguish between closed and filtered
ports. When Nmap records an IP ID increase of 1 it marks the port closed/filtered.

To launch a stealth scan of the en re class 'B' networks 166.66.0.0 and 166.67.0.0
for the popularly exploitable imapd daemon :
nmap -Up 143 166.66.0.0/16 166.67.0.0/16
To do a standard tcp scan on the reserved ports of host <target> :
nmap target
To check the class 'C' network on which warez.com sits for popular services (via
fragmented SIN scan) :
nmap -fsp 21,22,23,25,80,110 warez.com/24
To scan the same network for all the services in your /etc/services via (very fast)
TCP scan :
nmap -F warez.com/24
To scan secret.pathe c.net using the p bounce a ack off of p.pathe c.net : nmap -
Db p.pathe c.net secret.pathe c.net
To find hosts that are up in the the adjacent class C's 193.14.12, .13, .14, .15, ... ,
.30 :
nmap -P '193.14.[12-30].*'
If you don't want to have to quote it to avoid shell interpreta on, this does the
same thing :
nmap -P 193.14.12-30.0

Government Engineering College, Gandhinagar

Cyber Security 150130107071

Output :

Government Engineering College, Gandhinagar

Cyber Security 150130107071

Government Engineering College, Gandhinagar

Cyber Security 150130107071

Sign :- ____________________

Government Engineering College, Gandhinagar

Cyber Security 150130107071

Practical 2 : PORT scan using Nmap

Nmap has a mul ple of op ons and when you first start playing with this excellent tool it
can be a bit daun ng.
Network ports are the entry points to a machine that is connected to the Internet. A
service that listens on a port is able to receive data from a client applica on, process it and
send a response back.
Malicious clients can some mes exploit vulnerabili es in the server code so they gain access
to sensi ve data or execute malicious code on the machine remotely. That is why tes ng
for all ports is necessary in order to achieve a thorough security verifica on.
Port scanning is usually done in the ini al phase of a penetra on test in order to discover
all network entry points into the target system. Port scanning is done differently for TCP
ports and for UDP ports that's why we have different tools.
In below figure , the a acker first sends a SYN probe packet to the port he wishes to test.
Upon receiving a packet from the port with the SYN and ACK flags set, he knows that the
port is open. The a acker completes the three-way handshake by sending an ACK packet
back.

If, however, the target port is closed, the a acker receives an RST/ACK packet directly back,
as shown in Figure below.

Parameters for scanning in Nmap :-

Target : This is the hostname of IP address(es) to scan

Ports to scan Common : This op on tells Nmap to scan only the top 100 most
common TCP ports (Nmap -F).

Ports to scan List : You can specify a comma separated list of ports to be scanned.

Government Engineering College, Gandhinagar

Cyber Security 150130107071

Detect service version : In this case Nmap will try to detect the version of the
service that is running on each open port. This is done using mul ple techniques
like banner grabbing, reading server headers and sending specific requests.

Detect opera ng system : If enabled, Nmap will try to determine the type and
version of the opera ng system that runs on the target host. The result is not
always 100% accurate, depending on the way the target responds to probe
requests.

Do traceroute : If enabled, Nmap will also do a traceroute to determine the path

packets take from our server to the target server, including the ip addresses of all
network nodes (routers).

Don't ping host: If enabled, Nmap will not try to see if the host is up before
scanning it (which is the default behavior). This op on is useful when the target
host does not respond to ICMP requests but it is actually up and it has open ports.

Port number is given instead of port range.

Government Engineering College, Gandhinagar

Cyber Security 150130107071

Sign :- ____________________

Government Engineering College, Gandhinagar