Lab 2: Scanning and Reconnaissance Using Nmap

Objective

Understand how to use Nmap for scanning and reconnaissance to identify hosts, open ports, and services running on a network. This exercise will help you grasp how attackers gather information and how to mitigate reconnaissance attempts.

Prerequisites

1. Kali Linux or Any Linux Distro:
   • Ensure Nmap is installed.
   • Tip: To check if Nmap is installed, type nmap --version in the terminal. Install it with:

     sudo apt update && sudo apt install nmap
     

2. Basic Network Knowledge:
   • Familiarity with IP addresses, subnets, and protocols like TCP/UDP.
   • Tip: Review the OSI model, focusing on layers 3 (Network) and 4 (Transport) to understand how Nmap probes hosts and ports.
3. Target Machine:
   • Identify a machine to scan. Use a device on your local network or a lab setup.
   • Insight: Never scan a system without proper authorization.

Step 1: Launching Kali Linux and Nmap

1. Start your Kali Linux environment.
2. Open a terminal by clicking the terminal icon or pressing Ctrl + Alt + T.

Step 2: Discovering Live Hosts on the Network

1. To find active devices on your local network, use the ping scan:

   nmap -sn <your_network_range>
   

   • Replace <your_network_range> with your subnet (e.g., 192.168.1.0/24).

   • Output: Nmap will list all devices that responded to the ping.

   • Tip: Use ifconfig or ip a to determine your IP and subnet.
2. Review the results:
   • Active hosts will be listed with their IP and MAC addresses.
   • Insight: This step is useful for network mapping and identifying potential targets.

Step 3: Scanning a Target Host

1. Use a basic scan to discover open ports on a specific target:

   nmap <target_ip>
   

   • Replace <target_ip> with the IP of the device you want to scan.
2. Analyze the output:
   • Ports: Lists open ports and their status (open/closed/filtered).

   • Services: Indicates the services running on those ports.

   • Insight: Open ports can reveal vulnerabilities if unnecessary services are running.

Step 4: Performing a Service Version Scan

1. To identify the version of services running on open ports, use:

   nmap -sV <target_ip>
   

2. Review the output:

   • Shows detailed information about services and their versions.

   • Tip: Service version information can help identify outdated or vulnerable software.

Step 5: Running an OS Detection Scan

1. Use Nmap’s OS detection feature to determine the operating system of the target:

   nmap -O <target_ip>
   

2. Analyze the results:

   • Nmap will provide an estimate of the target’s operating system.

   • Insight: OS detection helps attackers tailor exploits but can be mitigated by firewalls and intrusion detection systems.

Step 6: Combining Scans for Comprehensive Reconnaissance

1. Combine multiple options for a detailed scan:

   nmap -A <target_ip>
   

   • This performs OS detection, service version detection, and a traceroute.
2. Review the comprehensive output:
   • Tip: This scan is more aggressive and may trigger security systems. Use with caution.

Step 7: Exporting Scan Results

1. Save your scan results for future analysis:

   nmap -oN output.txt <target_ip>
   

   • Replace output.txt with your desired file name.
2. Open the saved file to review:

   cat output.txt
   

   • Insight: Exported results are helpful for reporting and documentation.

Step 8: Cleaning Up

• Ensure you haven’t left unauthorized logs or evidence of scans on the target system.
• Follow ethical hacking principles and document your findings responsibly.

Additional Tips and Insights

1. Legal Considerations:
   • Only scan systems you own or have explicit permission to test.
   • Insight: Unauthorized scanning is illegal and can lead to severe consequences.
2. Network Defense:
   • Use this lab to understand how attackers gather information.
   • Tip: Implement defenses like firewalls and intrusion detection systems to mitigate reconnaissance attempts.
3. Nmap Scripting Engine (NSE):
   • Explore advanced scripts for vulnerability detection.
   • Example:

     nmap --script vuln <target_ip>
     

   • Insight: NSE scripts enhance Nmap’s capabilities and are powerful for automated security testing.
4. Practice Regularly:
   • Experiment with different Nmap options and document your findings.
   • Tip: Refer to the official Nmap documentation for advanced features.

Key Takeaways

1. Nmap is a powerful tool for network reconnaissance and vulnerability assessment.
2. Understanding its outputs helps identify potential attack vectors and improve security.
3. Regular practice and adherence to ethical guidelines are crucial for effective and responsible use.