HW02: Intro to Nmap due Mon 11 Sep 23:59

In this assignment you will begin to learn basic usage of the wonderful
{\tt nmap} command.


In nearly every quiz this semester you will be given an nmap command or option and you will be asked to explain what it does. To that end you need to memorize all the nmap command options listed in the “Scanning” section of the class notes (see link below).

Besides memorizing the specified options you will be asked to experiment with various commands and document what you have done in the form of a text file that you will upload into Canvas.

IMPORTANT: As you experiment with nmap, ONLY DO SO IN YOUR VIRTUAL ENVIRONMENT! Performing port scans against other networks or hosts is considered an attack.

Memorize Some Nmap Command Options

Take a moment to read the slides pertaining to nmap in the course notes. Those pages are in the “Scanning” section. Once you've read the section take about 5 minutes to attempt to memorize the various command options.

For the instructions that follow, try as much as possible to perform the required nmap commands from memory. If you need to look back at the notes that is okay, but you should fail at least twice on a given command before looking back at the notes.

Play Around with Nmap

Create a text document (i.e., has a .txt extension) that you will update after completing each task below. In the document give the task number followed by the commands you used to perform the task. If the task asks any questions be sure to put your answer to those questions in the document as well.

Before you start you should perform this one-time command to endow nmap with some special privileges when run with the --privileged option:

sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap

If any of the commands you use/need require special privileges, just add the --privileged option to the command rather than running the command as the root user.

  1. (2 pts) Start VirtualBox and launch both your Kali host and both of the Metasploitable3 targets.

    Log in to each machine and issue needed commands to determine IP address of each machine?

    What is the range of IP numbers for the Class C address range that contains both of those IP numbers? (You can use CIDR or any other notation supported by nmap to specify the range.) NOTE: For this task you don't need to issue an nmap command, you need to put in the text document what command you used to determine each machine's IP number and the range of 256 IP numbers that contains both machines.

  2. (2 pts) Do an nmap scan that will list hosts on the subnet you identified in the first task. REMEMBER: Don't do an internet search. Do it from memory. If you can't do it from memory then go back and look at the notes. I'm expecting the nmap scan to return IP numbers of four hosts: Kali, Metasploitable3 (Linux, i.e., MS3L), Metasploitable3 (Windows, i.e., MS3W), and .... What do you think the third host is (based on its IP number)? (REMEMBER: for this all other tasks, paste the command you used into the text document and then answer the question(s) that were asked).

  3. (2 pts) Use an aggressive nmap scan on this third mystery host to see what you can learn about it. I expect you will not get much information on this host. What port(s)/service(s) is/are open?

  4. (3 pts) Turn your attention to the three hosts you expected to find on the network (Kali, MS3L, and MS3W). In a single nmap command do a regular port scan along with OS detection for both hosts. According to the results of this command, what does it say the OS version is for Kali, MS3L, and MS3W? How many ports are open on Kali, MS3L, and MS3W? How many ports were checked on each host?

  5. (3 pts) Let's do some more exploration on MS3L and MS3W. Do an nmap command that will do a “stealthy scan” on ALL ports (not just a thousand) on the target host. What open ports were found with this command that were not found with the standard port scan?

  6. (3 pts) Do two nmap commands (one for each server) that will attempt to gather version information on the following open ports on MS3L: 21, 80, 3306 and on the following open ports on MS3W: 21, 80, 3306, 8080. For each port you specified list (in your text document) the version information returned by this command.

    According to the version information what Linux distribution appears to the running on MS3L?

  7. (2 pts) Repeat the scan you did for the the previous scan (on the MS3L system only) but slow it down to use the second slowest timing option (T1). How much time did the first scan of the four ports take? How much time did the slowed-down scan take? Why might you choose to spread the scans out over time like this? NOTE: To time a command, just put the command “time” in front of it.

  8. (2 pts) Visit the https://cve.mitre.org site a do a search for: Microsoft IIS 7.5 Copy and paste to your text document the list of known vulnerabilities that can exist for that version of Microsoft's web server.

  9. (2 pts) Read this explanation of port states recognized by nmap: https://nmap.org/book/man-port-scanning-basics.html Then, perform an nmap scan that will identify which of the open ports on MS3W are being filtered by a firewall. According to the scan which ports are protected by a firewall?

Upon completion of this assignment, upload your text document to this Canvas assignment.