Lab 3 - Scanning with Nmap
Table of Contents
Activities
Part 1 - Setup
Launch both Kali Linux and the Metasploitable2 VM and ensure that they are on the same isolated network.
On Kali, check which version of nmap you have installed. The nmap commands have evolved slightly over time. It's important to ensure you are following documentation for the version of the program you are using.
$ nmap --version
Deliverables:
- What is the IP address of your Kali Linux VM? What is the IP address of your Metasploitable2 VM?
- What version of nmap do you have installed in Kali? (Answer in the form: x.xx)
Warning: If both systems have the same IP address here and you are running VirtualBox, then it is 99% likely that you did not complete the "Networking Configuration" part of the Virtual Machine setup tutorial. Shut down your VMs, complete the setup, and then return to continue the lab.
Part 2 - Host Discovery
On your Kali VM, perform a basic nmap host discovery scan without port scanning. Normally this would be used to scan an entire subnet (or larger), but for this lab, we're going to target specific IPs of interest.
First, target just the Metasploitable2 VM by its IP address.
$ sudo nmap -sn TARGET
Note: Using sudo so that Nmap can generate arbitrary network packets for this scan
From the Nmap documentation: "The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent (using a connect call) to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified." -- https://nmap.org/book/man-host-discovery.html
Deliverables (Host discovery of Metasploitable2 VM):
- What methods did Nmap use to perform host discovery when run as the root user (i.e. via sudo)?
- To document your answer, run Wireshark in the background and capture just the Nmap network scan with the -sn option, with no (or minimal) extra background network traffic. Save and upload the resulting
.pcapng
file.
Second, target the IP 8.8.8.8
, which will map to whatever public Google DNS server happens to be the closet to us geographically (a feature known as "IP Anycast"). Google won't mind a little more scanning traffic, right? As before, just do a basic Nmap host discovery scan without port scanning.
Deliverables (Host discovery of 8.8.8.8):
- What command did you enter to run the scan as the root user?
- What methods did Nmap use to perform host discovery when run as the root user (i.e. via sudo)?
- To document your answer, run Wireshark in the background and capture just the Nmap network scan with the -sn option, with no (or minimal) extra background network traffic. Save and upload the resulting
.pcapng
file. - Not to give away part of the answer to a question above, but what is the response hostname to the reverse DNS query Nmap sent for
8.8.8.8.in-addr.arpa
? You can obtain this information from the Wireshark trace you just obtained.
(Tip: You can type this hostname into your web browser and see a web page that should immediately confirm the correctness of your answer.) - In a short paragraph, explain what replies are received as a result of the Nmap host discovery. Phrase your answer in the format of:
Nmap sent<request message>
, and a few packets later the target host sent<reply message>
Part 3 - TCP Port Scanning
On your Kali VM, perform a Nmap TCP port scan of the Metasploitable2 VM to detect active services. Either a connect scan (-sT
) or a SYN scan (-sS
) is fine.
$ sudo nmap -sT TARGET
$ sudo nmap -sS TARGET
Note: Using sudo so that Nmap can generate arbitrary network packets for this scan
Deliverables:
- What specific ports and services does Nmap find as open? Copy and paste in the entire
PORT | STATE | SERVICE
table - How many ports did Nmap report as open?
- How many ports did Nmap report as closed?
Part 4 - UDP Port Scanning
On your Kali VM, perform a Nmap UDP port scan of the Metasploitable2 VM to detect active services.
$ sudo nmap -sU TARGET
Note: Using sudo so that Nmap can generate arbitrary network packets for this scan
Tip 1: Unlike TCP, there is no generic way to see if a UDP port is open or not, since UDP is connectionless. Thus, you will have much more accurate results (and be able to fully answer the lab question) if you also enable service and version scanning with your UDP scan. The CLI argument is provided below.
Tip 2 If you accept the default options, this scan will take a very long time. However, you can make Nmap go faster by specifying a non-default Timing Template. Given that the target is a VM on the same computer (even better than on the same local area network!), shorter timeouts should be perfectly safe.
Tip 3 If you only care about the most popular services (which is sufficient for this lab), you can use the
--top-ports=N
argument to only scan the N most popular service ports.
Deliverables:
- What command did you enter to do a faster UDP port scan and to also enable service and version scanning?
- What 4 UDP ports did Nmap find as open (not open|filtered, just open) and what services are running on those ports? Provide your answer in ascending numerical order for the auto-grader.
Part 5 - OS Detection
Perform a Nmap OS Detection scan on the Metasploitable2 VM. Note that implicit with OS detection is port discovery.
$ sudo nmap -O TARGET
Note: Using sudo so that Nmap can generate arbitrary network packets for this scan
Deliverables:
- What is the device type of the Metasploitable2 VM according to Nmap?
- What is the Common Platform Enumeration (CPE) string of the Metasploitable2 VM?
- What is the OS Details string Nmap provided for the Metasploitable2 VM, showing the range of kernel versions it believes the host is running?
- Check in the Metasploitable2 VM - What kernel version is it actually running? (Provide your answer in the form x.x.x-x-tag for the auto-grader)
Part 6 - Version and Service Scanning
Perform a Nmap version and service scan of the Metasploitable2 VM:
$ sudo nmap -sV TARGET
Note: Using sudo so that Nmap can generate arbitrary network packets for this scan
Deliverables:
- What version of OpenSSH is running?
- What version of the BIND DNS server is running?
Part 7 - Complete Scanning
Perform an "everything and the kitchen sink" scan against the Metasploitable2 VM using the -A
(for all) option. This is the most time consuming scan (at least for TCP) and the most verbose. As such, it is best run against very specific hosts that (a) you know exist, and (b) you know have specific services of interest to you.
$ sudo nmap -A TARGET
Note: Using sudo so that Nmap can generate arbitrary network packets for this scan
Deliverables:
- What is the NetBIOS workgroup of the Samba server on the Metasploitable2 VM?
- What is the 2048 bit long RSA SSH host key that identifies this target?