In nearly every quiz this semester you will be given an nmap command or option
and you will be asked to explain what it does. To that end you need to memorize
all the nmap command options listed in the “Scanning” section of the class
notes (see link below).
Besides memorizing the specified options you will be asked to experiment with
various commands and document what you have done in the form of a text file
that you will upload into Canvas.
IMPORTANT: As you experiment with nmap, ONLY DO SO IN YOUR VIRTUAL ENVIRONMENT!
Performing port scans against other networks or hosts is considered an attack.
Take a moment to read the slides pertaining to nmap in the
course notes. Those pages are in the “Scanning” section. Once you've read the
section take about 5 minutes to attempt to memorize the various command options.
For the instructions that follow, try as much as possible to perform the
required nmap commands from memory. If you need to look back at the notes
that is okay, but you should fail at least twice on a given command before
looking back at the notes.
Create a text document (i.e., has a .txt extension) that you will update after
completing each task below. In the document give the task number followed by the
commands you used to perform the task. If the task asks any questions be sure to
put your answer to those questions in the document as well.
Before you start you should perform this one-time command to endow nmap with some
special privileges when run with the --privileged
option:
sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
If any of the commands you use/need require special privileges, just add the
--privileged
option to the command rather than running the command as
the root user.
- (2 pts) Start VirtualBox and launch both your Kali host and both of the
Metasploitable3 targets.
Log in to each machine and issue needed commands to determine IP address
of each machine?
What is the range of IP numbers for the Class C address range that
contains both of those IP numbers? (You can use CIDR or any other notation
supported by nmap to specify the range.) NOTE: For this task you don't
need to issue an nmap command, you need to put in the text document what
command you used to determine each machine's IP number and the range of
256 IP numbers that contains both machines.
- (2 pts) Do an nmap scan that will list hosts on the subnet you identified in the
first task. REMEMBER: Don't do an internet search. Do it from memory. If you can't
do it from memory then go back and look at the notes. I'm expecting the nmap scan
to return IP numbers of four hosts: Kali, Metasploitable3 (Linux, i.e., MS3L),
Metasploitable3 (Windows, i.e., MS3W), and .... What do you think the
third host is (based on its IP number)? (REMEMBER: for this all other
tasks, paste the command you used into the text document and then answer
the question(s) that were asked).
- (2 pts) Use an aggressive nmap scan on this third mystery host to see what you can learn
about it. I expect you will not get much information on this host.
What port(s)/service(s) is/are open?
- (3 pts) Turn your attention to the three hosts you expected to find on
the network (Kali, MS3L, and MS3W). In a single nmap command do a
regular port scan along with OS detection for both hosts. According to the
results of this command, what does it say the OS version is for Kali, MS3L,
and MS3W? How many ports are open on Kali, MS3L, and MS3W?
How many ports were checked on each host?
- (3 pts) Let's do some more exploration on MS3L and MS3W.
Do an nmap command that will do a “stealthy scan” on ALL ports (not just
a thousand) on the target host. What open ports were found with this
command that were not found with the standard port scan?
- (3 pts) Do two nmap commands (one for each server) that will attempt to
gather version information on the following open ports on MS3L: 21, 80,
3306 and on the following open ports on MS3W: 21, 80, 3306, 8080. For
each port you specified list (in your text document) the version
information returned by this command.
According to the version information what Linux distribution appears to
the running on MS3L?
- (2 pts) Repeat the scan you did for the the previous scan (on the MS3L system only)
but slow it down to use the second slowest timing option (T1). How much
time did the first scan of the four ports take? How much time did the
slowed-down scan take? Why might you choose to spread the scans out over
time like this? NOTE: To time a command, just put the command “time” in front
of it.
- (2 pts) Visit the https://cve.mitre.org site a do a search for: Microsoft IIS 7.5
Copy and paste to your text document the list of known vulnerabilities
that can exist for that version of Microsoft's web server.
- (2 pts) Read this explanation of port states recognized by nmap:
https://nmap.org/book/man-port-scanning-basics.html Then, perform an
nmap scan that will identify which of the open ports on MS3W are being
filtered by a firewall. According to the scan which ports are protected by
a firewall?
Upon completion of this assignment, upload your text document to this Canvas
assignment.