LAB B - NMAP/ZENMAP

In this lab exercise you will use NMAP/ZENMAP to perform different scans and use Wireshark to analyse NMAP’s behaviour.

The lab duration will be 25 minutes.

You will need Kali Linux and Metasploitable TR VMs.

Task 1 – Ping Scanning

Start the required VMs.

NOTE: Performing a ping scan will scan the entire network for live hosts.

Log in to the Kali VM with username root and password toor and start Wireshark.
Start a capture on eth0.
Enter Zenmap into the search box of the Kali menu (little Kali icon in the top left) then click on Zenmap to open it.

Once ZENMAP has opened – in the Target field, type:

192.168.1.0/24

Click the drop down arrow for the Profile and select Ping scan, then click Scan.

Once the scan has completed, note the number of devices that NMAP has discovered.

Return to Wireshark and stop the capture.

Did NMAP use ICMP?

NOTE: You should see that, despite selecting the option for a ping, scan NMAP chose to use ARP instead. This achieves the same result (discovering devices on the network) but is more reliable as PING is often blocked. Note the NMAP can only use ARP if it is connected to the same local network.

To run the same scan from the command line in Kali, open a new terminal and type:

nmap -sn 192.168.1.0/24

Task 2 – Basic Hosting Scanning

Having discovered some devices, the next step is to see what services are available on a target device. The basic scan will reveal to us any ports which are open on the target host.

Start a new Wireshark capture.
In ZENMAP – in the Target field, type:

192.168.1.99

Select Regular scan from the Profile field and click Scan.
Once the scan has completed, notice the services the NMAP has discovered.

Click on the Host Details tab, is there any useful data displayed?
Stop the Wireshark capture.
View the capture to see how NMAP works.

Task 3 – Intense Scan

You will now perform an intense scan to uncover more details about the services available on a target device.

Start a new Wireshark capture.
Switch back to Zenmap and check (or enter if required) that 192.168.1.99 is in the Target field.
Select Intense Scan in the Profile field and click Scan.

Once the scan has completed (it will take a while), notice the services NMAP has discovered. Are the results different to the last scan?

Click on the Host Details tab. Is there any additional useful information?
Return to Wireshark and stop the capture.
Review the capture.
Is NMAP noisy?

Task 4 – Version and OS Scan

Now use the command line version of NMAP and Wireshark to carry out some specific scans:

Start a Wireshark capture.
In a terminal, type:

nmap -sV -p 80 192.168.1.99

With this option, NMAP will attempt to identify the version of services running on the queried port.

Then type the following to carry out an operating system scan:

nmap -O -p 80,445 192.168.1.99

Return to Wireshark and stop the capture.
Use filter to look at the specific ports to see what NMAP is doing:

tcp.dstport == 80

Task 5 – Full Open vs Half Open

Start a new capture in Wireshark and compare half and full open scans by running the following, one at a time:

nmap -sT -p 80,445 192.168.1.99

nmap -sS -p 80,445 192.168.1.99

Can you identify what NMAP is doing differently between the two scans?

NOTE: A full open scan completed the connection – sending the final Ack in the three-way handshake. A half open scan does not send the final Ack – therefore not completing the connection. This is considered stealthier (from the point of view of logging in the target operating system).