Lab 2: Scanning and Reconnaissance Using Nmap
Objective
Understand how to use Nmap for scanning and reconnaissance to identify hosts, open ports, and services running on a network. This exercise will help you grasp how attackers gather information and how to mitigate reconnaissance attempts.
Prerequisites
- Kali Linux or Any Linux Distro:
- Ensure Nmap is installed.
- Tip: To check if Nmap is installed, type
nmap --version
in the terminal. Install it with:sudo apt update && sudo apt install nmap
- Basic Network Knowledge:
- Familiarity with IP addresses, subnets, and protocols like TCP/UDP.
- Tip: Review the OSI model, focusing on layers 3 (Network) and 4 (Transport) to understand how Nmap probes hosts and ports.
- Target Machine:
- Identify a machine to scan. Use a device on your local network or a lab setup.
- Insight: Never scan a system without proper authorization.
Step 1: Launching Kali Linux and Nmap
- Start your Kali Linux environment.
- Open a terminal by clicking the terminal icon or pressing
Ctrl + Alt + T
.
Step 2: Discovering Live Hosts on the Network
- To find active devices on your local network, use the ping scan:
nmap -sn <your_network_range>
- Replace
<your_network_range>
with your subnet (e.g.,192.168.1.0/24
). -
Output: Nmap will list all devices that responded to the ping.
- Tip: Use
ifconfig
orip a
to determine your IP and subnet.
- Replace
- Review the results:
- Active hosts will be listed with their IP and MAC addresses.
- Insight: This step is useful for network mapping and identifying potential targets.
Step 3: Scanning a Target Host
- Use a basic scan to discover open ports on a specific target:
nmap <target_ip>
- Replace
<target_ip>
with the IP of the device you want to scan.
- Replace
- Analyze the output:
- Ports: Lists open ports and their status (open/closed/filtered).
-
Services: Indicates the services running on those ports.
- Insight: Open ports can reveal vulnerabilities if unnecessary services are running.
Step 4: Performing a Service Version Scan
- To identify the version of services running on open ports, use:
nmap -sV <target_ip>
- Review the output:
-
Shows detailed information about services and their versions.
-
Tip: Service version information can help identify outdated or vulnerable software.
-
Step 5: Running an OS Detection Scan
- Use Nmap’s OS detection feature to determine the operating system of the target:
nmap -O <target_ip>
- Analyze the results:
-
Nmap will provide an estimate of the target’s operating system.
-
Insight: OS detection helps attackers tailor exploits but can be mitigated by firewalls and intrusion detection systems.
-
Step 6: Combining Scans for Comprehensive Reconnaissance
- Combine multiple options for a detailed scan:
nmap -A <target_ip>
- This performs OS detection, service version detection, and a traceroute.
- Review the comprehensive output:
- Tip: This scan is more aggressive and may trigger security systems. Use with caution.
Step 7: Exporting Scan Results
- Save your scan results for future analysis:
nmap -oN output.txt <target_ip>
- Replace
output.txt
with your desired file name.
- Replace
- Open the saved file to review:
cat output.txt
- Insight: Exported results are helpful for reporting and documentation.
Step 8: Cleaning Up
- Ensure you haven’t left unauthorized logs or evidence of scans on the target system.
- Follow ethical hacking principles and document your findings responsibly.
Additional Tips and Insights
- Legal Considerations:
- Only scan systems you own or have explicit permission to test.
- Insight: Unauthorized scanning is illegal and can lead to severe consequences.
- Network Defense:
- Use this lab to understand how attackers gather information.
- Tip: Implement defenses like firewalls and intrusion detection systems to mitigate reconnaissance attempts.
- Nmap Scripting Engine (NSE):
- Explore advanced scripts for vulnerability detection.
- Example:
nmap --script vuln <target_ip>
- Insight: NSE scripts enhance Nmap’s capabilities and are powerful for automated security testing.
- Practice Regularly:
- Experiment with different Nmap options and document your findings.
- Tip: Refer to the official Nmap documentation for advanced features.
Key Takeaways
- Nmap is a powerful tool for network reconnaissance and vulnerability assessment.
- Understanding its outputs helps identify potential attack vectors and improve security.
- Regular practice and adherence to ethical guidelines are crucial for effective and responsible use.