Skip to content

Latest commit

 

History

History
116 lines (77 loc) · 2.88 KB

File metadata and controls

116 lines (77 loc) · 2.88 KB

Lab 10 — Network Scanning with Nmap

Exam objective: 2.1 Network reconnaissance, protocol scanning (TCP/UDP); 2.4 Tools.

In this lab you will use Nmap to discover hosts, identify open TCP and UDP ports, and detect services and operating systems. We'll target a local Docker container so you can run intrusive scans safely.


Step 1 — Bring up a vulnerable target

sudo apt install -y docker.io
sudo docker run --rm -d --name target -p 2222:22 -p 8080:80 -p 8443:443 \
  vulhub/openssh:5.3p1
# Or any image that exposes a few ports; metasploitable2 is heavier but classic:
# sudo docker run --rm -d --name target -p 0.0.0.0:0:0 tleemcjr/metasploitable2

Find the target IP (loopback on Killercoda):

TARGET=127.0.0.1

Step 2 — Host discovery (ping sweep)

sudo nmap -sn 192.168.1.0/24    # adapt to your local LAN, or skip for Docker

-sn ("no port scan") sends ICMP, ARP, TCP SYN to 443 and TCP ACK to 80 to find live hosts.


Step 3 — TCP SYN scan (the default)

sudo nmap -sS -p- --min-rate 1000 -T4 $TARGET
  • -sS half-open SYN scan, requires root.
  • -p- all 65535 ports.
  • --min-rate 1000 push pps for speed.
  • -T4 aggressive timing.

Stealth variants: -sN Null scan, -sF FIN scan, -sX Xmas scan (rarely used; many modern stacks ignore them).


Step 4 — UDP scan

sudo nmap -sU --top-ports 50 $TARGET

UDP is slow (no handshake, must wait for ICMP unreachable). Limit to top-N.


Step 5 — Service / version detection

sudo nmap -sV -sC -p 22,80,443,2222,8080,8443 $TARGET -oA target-scan
  • -sV probe service banners.
  • -sC run default NSE scripts (HTTP title, SSH algos, etc.).
  • -oA save in all three formats (target-scan.nmap, .xml, .gnmap).

Step 6 — OS fingerprinting

sudo nmap -O $TARGET

Nmap looks at TCP/IP stack quirks (TTL, window size, ISN sampling) and guesses the OS family.


Step 7 — Output formats and reporting

xsltproc target-scan.xml -o target-scan.html

Open target-scan.html in Firefox — that's your appendix artefact for the report.

For tabular consumption:

grep -E "^[0-9]+/" target-scan.nmap

Step 8 — Comparing scan types

Scan Flag Sends Use case
Connect -sT Full TCP handshake No root
SYN -sS SYN, RST after SYN/ACK Default stealth
ACK -sA ACK Firewall ruleset mapping
FIN/NULL/Xmas -sF/-sN/-sX Crafted flags Evade simple filters
UDP -sU UDP probes DNS, SNMP, NTP, NetBIOS
Ping -sn ICMP/ARP/SYN-443 Live-host sweep

What you learned

  • The difference between SYN, Connect, ACK, FIN, UDP and Null/Xmas scans.
  • How to combine version detection, default scripts and OS fingerprinting in one run.
  • How to export scans to XML/HTML for the report appendix.