NTS330

Lab-M04-01: Host Scanning

OCTOBER 16, 2017
BY: LIVIA NGUYEN, MARK LAROCQUE, VIRGIL WYLIE
Contents

Summary ......................................................................................................................................... 2

Command List ................................................................................................................................. 2

Nmap ........................................................................................................................................... 2
Netcat .......................................................................................................................................... 3
Ping Sweep...................................................................................................................................... 3

Target Information .......................................................................................................................... 3

Port Scan ......................................................................................................................................... 4

Standard ...................................................................................................................................... 4
Timing Request ........................................................................................................................... 4
Port 80 and 443 Scan ...................................................................................................................... 6

Host Scan and Reason ..................................................................................................................... 6

Nmap Scan and output .................................................................................................................... 7

Denying ICMP ................................................................................................................................ 8

Netcat Port Scan .............................................................................................................................. 8

Operating System Identification ..................................................................................................... 9

Application Fingerprinting............................................................................................................ 10

Penetration Test Scenario ............................................................................................................. 10

Xmas Scan .................................................................................................................................... 11

Host Scan From Text File ............................................................................................................. 11

Reference ...................................................................................................................................... 13
Summary

This lab demonstrates the knowledge of performing host scan using nmap and applied the many

option that nmap provided. Show control over how the scan work, by controlling the timeout,

port number and scanning for specific information on a specific host. The lab will walk through

how to scan and detect information, such as version, OS, and services of each host located on the

network. The document will talk through how each command works and what each option

added to the default scan.

Command List

Nmap

-sP Ping Scan

-sT TCP Scan

-T4 Aggressive Initial_rtt_timeout 500ms; min_rtt_timeout 100ms; max_rtt_timeout 1,250ms;

scan_delay 0 sec; max_scan_delay 10ms

-sV Version Scan

-p Only scan specific ports listed

--reason Display the reason a port is in a particular state

-oN Output scan result to a file

-Pn Treat host as only automatically and skip ICMP (ping)

-O Enable OS detection

-sV Probe open ports to determine service/version info

-sX Xmas scan

-iL Input from list of host/networks (example: text file)

Netcat

-zx Zero- I/O mode; printing out messages on Standard Error, such as when a connection

occurs.

Ping Sweep

root@warmachine:~# nmap -sP 10.31.104.1-254

The following ping sweep the entire network and display all online host IP addresses and the

time it takes to scan from the IP address range 10.31.104.1-254. The target IP address is

identifying to be 10.31.104.10 on the network.

Target Information

IPv4 address: 10.31.104.10

IP address range: 10.31.104.1-254

MAC Address: 00:50:56:B9:01:9F

CIDR block: 10.31.104.0/24

Port Scan

Standard

root@warmachine:~# nmap -sT 10.31.104.1-11

Standard nmap TCP port scan using -sT that listed open port, state and service of the net range

provided.

Timing Request

root@warmachine:~# nmap -T4 10.31.104.1-12

The T4 or timing Aggressive, which took only 500ms compare to the standard T1, which is 15

second with the scan-delay rate of 0 sec.

root@warmachine:~# nmap host-timeout 1s 10.31.104.10

--host-timeout was used to tell nmap to scan a certain host for a specific amount of time to

reduce the time of an nmap scan and timeout after 1 second.

Port 80 and 443 Scan

root@warmachine:~# nmap -sV -p 80,443 10.31.104.1-12

nmap -sV scan the version of each of the listed host, and -p were used to specify the host that I

want to scan, which is port 80 and port 443.

Host Scan and Reason

root@warmachine:~# nmap -T4 reason 10.31.104.10

nmap scan with aggressive and used reason to list the reason why the port is in the state that

they are.
Nmap Scan and output

root@warmachine:~# nmap -oN /root/Desktop/hostscanresult.txt 10.31.104.10

Perform port scan on host 10.31.104.10 using nmap and output the result to a text file on the

Desktop.
Denying ICMP

root@warmachine:~# nmap -T4 -Pn 10.31.104.10

The nmap -Pn option will automatically assumed that the host is online and skip any ICMP

(ping). The command will skip any host discovery or perform ping before scanning it.

Netcat Port Scan

root@warmachine:~# nc -zv 10.31.104.10 1-500

Perform a netcat scan with I/O mode and output messages on standard error that might occur and

scan it from host 1-500. Netcat is a Unix/Linux utility that uses TCP or UDP to read and write

data across network connections, while nmap is more like a security scanner for information.

Netcat is used when opening raw connection, setting up a quick webserver on port 8080 to view

the content of a file, checking whether the UDP ports are open, port scanning, etc While nmap

are used for host discovery, port scanning, version and OS detection etc
Operating System Identification

root@warmachine:~# nmap -O 10.31.104.10

The OS detection is really accurate with detecting the targets OS, which is Microsoft Windows

2000/XP/2003.
Application Fingerprinting

root@warmachine:~# nmap -sV -T4 -F 10.31.104.10

The application fingerprinting scan on the target listed the service of each port. There is no

unknown application fingerprint shown in the scan. If nmap doesnt known what a service is,

then netstat can be used to list open ports and processes or another way is to manually lookup the

port number and their services.

Penetration Test Scenario

To determine what host are up within that range, I would run either Nmap or Nessus. Given that

I am trying to detect any vulnerabilities I would go with Nessus. This would allow me to do

network discovery and scan the systems for vulnerabilities but this would need to be done in safe

since running it without it disabled can crash a system. Also, Tenable Network Security, owners

of Nessus, develops several plugins that will allow Nessus to check CVEs. During the scan I can

use the interface to view results even while the scan is still in progress. Once the scan is

completed, a report will be generated where I can get the needed information needed to complete

the customer's request.

Xmas Scan

root@warmachine:~# nmap -sX 10.31.104.10 -v

The nmap -sX flag could be FIN, PSH or URG.

Host Scan from Text File

root@warmachine:~# nmap -iL /root/Desktop/networkhosts.txt

Perform nmap host scanning using data from a text file named networkhosts.txt. The -iL

command will take the data from the file, import it and perform the scan automatically.
Reference

Nmap Network Scanning Options Summary. (nod). Retrieved October 16, 2017, from

https://nmap.org/book/man-briefoptions.html

Messer. (2007, September 17). How to Supercharge Your Nmap Scans . Retrieved October 16,

2017, from https://www.professormesser.com/nmap/how-to-supercharge-your-nmap-

scans/4/

SANS. (n.d.). NetcatCheatSheet. Retrieved October 16, 2017, from

https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf

Nmap Network Scanning Port Scanning Techniques. (n.d.). Retrieved October 16, 2017, from

https://nmap.org/book/man-port-scanning-techniques.html