Hackers traditionally follow a 5-step approach to seek out and destroy targeted hosts. The first step in performing an attack is to plan the attack by identifying your target and learning as much as possible about the target. Hackers traditionally perform an initial reconnaissance & probing scan to identify IP hosts, open ports, and services enabled on servers and workstations. In this lab, students will plan an attack on 172.30.0.0/24 where the VM server farm resides. Using ZenMap GUI, students will then perform a “Ping Scan” or “Quick Scan” on the targeted IP subnetwork.
Lab Assessment Questions & Answers
Name at least five applications and tools pre-loaded on the Windows 2003 Server Target VM (VM Name: “WindowsTarget01”) and identify whether that application starts as a service on the system or must be run manually?
Start as a service
Start as a service
What was the DHCP allocated source IP host address for the Student VM, DHCP Server, and IP default gateway router?
DHCP allocated the following IP addresses
Source IP host address is 192.168.1.6
DHCP server address 192.168.1.1
Default gateway router address is 192.168.1.1
Did the targeted IP hosts respond to the ICMP echo-request packet with an ICMP echo-reply packet when you initiated the “ping” command at your DOS prompt? If yes, how many ICMP echo-request packets were sent back to the IP source?
Yes, four ICMP echo-request packets sent when I initiate a “ping” command from the DOS prompt
Details of these packets are as follows:
Ping statistics for 192.168.1.6
Packets: sent=4, Received=4, Lost=0 (0% loss)
Approximate round trip times in milli-seconds:
Minimum=0ms, Maximum=131ms, Average= 43ms
If you ping the “WindowsTarget01” VM server and the “UbuntuTarget01” VM server, which fields in the ICMP echo-request / echo-replies vary?
When I ping the “WindowsTarget01” VM server and the “UbuntuTarget01” VM server, ICMP echo-request / echo-replies of “Windows Target01” VM server varies like 8ms, 131ms, 33ms and <1ms.
What is the command line syntax for running an “Intense Scan” with ZenMap on a target subnet of 172.30.0.0/24?
nmap -T4 -A -v 188.8.131.52/24
Name at least 5 different scans that may be performed from the ZenMap GUI and document under what circumstances you would choose to run those particular scans.
Command = nmap -T4 -A -v
Intense Scan is to comprehensive scan the network and all the computers in the network. The benefit is that you can check all the vulnerabilities in the network where you are connected with.
Command = nmap -sn
Ping scan only finds either target/targets are up or not. It does not scan the ports of that particular target/targets.
Command = nmap -T4 -F
It is faster than the normal scan because it scans the fewer ports and uses the aggressive timing template
Quick scan plus
Command = nmap -sV -T4 -O -F –version-light
It detects the Operating system as well as the version of OS.
Command = nmap -sn –traceroute
It does not do the port scanning it just find the intermediate hops where from you can connect with the computer.
Command = nmap
A basic port scan with no extra options.
How many different tests (i.e., scripts) did your “Intense Scan” definition perform? List them all after reviewing the scan report.
It performs the following tests:
TCP sequence prediction
Describe what each of these tests or scripts performs within the ZenMap GUI (Nmap) scan report.
A port scan is mostly what its name suggests, a scan of all the ports open upon a system. The way a port-scanner typically works is to attempt to connect to each port upon a host, in turn, and then report the results.
For example a scanner could connect to:
port 1 – to see ifA tcpmuxA is running.
port 7 – to see ifA echoA is running.
port 22 – to see ifA opensshA is available.
port 25 – to see ifA smtpA is available.
One of Nmap’s best-known features is remote OS detection using TCP/IP stack
fingerprinting. Nmap sends a series of TCP and UDP packets to the remote host and examines practically every bit in the responses.
Two important fields that version detection can discover are operating system and device type. These are also reported on theA Service InfoA line. We use two techniques here. One is application exclusivity. If we identify a service as Microsoft Exchange, we know the operating system is Windows since Exchange doesn’t run on anything else. The other technique is to persuade more portable applications to divulge the platform information. Many servers (especially web servers) require very little coaxing. This type of OS detection is intended to complement Nmap’s OS detection system (-O) and can sometimes report differing results. For example, consider a Microsoft Exchange server hidden behind a port-forwarding UNIX firewall.
It detects how many hops are involved in the way to reach to the targeted computer.
TCP sequence prediction:
Nmap sends a couple of resets first to the open port, then sends six packets with just SYN set (the normal method for opening a TCP connection), followed each time with a reset (a TCP header with reset and ACK flags set, which aborts the connection). The sequence numbers in packets sent increase incrementally by one each time; this is abnormal behavior but is characteristic of sequence number collectors. Nmap collects the initial sequence numbers received from the target and looks for a pattern in the way they are incremented. This is called a TCP sequence prediction.
Nmap does not perform a full trace to every host, so necessarily it must make assumptions about the hops that it has not probed. The first and most fundamental of these is that, in tracing a host, we find an intermediate hop that has already been seen in tracing another host, we may assume that it and all it parents’ hops are shared between the two hosts.
How many total IP hosts (not counting Cisco device interfaces) did ZenMap GUI (Nmap) find on the network?
Two (2) up hosts are found in my network.
Based on your Nmap scan results and initial reconnaissance & probing, what next steps would you perform on the VM server farm and VM workstation targets?
In Nmap scanning we’ve been find the vulnerabilities of network or targeted computer. After the reconnaissance we’ve to check where we’ve to enter into the computer for the specific purpose i.e. if we want to check the web services on the targeted computer then we’ve to enter form the port 80.