Activity 5-1 Getting to Know Nmap (30 Points)

Objective: Learn the basic commands and syntax of Nmap. Description: In this activity, youre introduced to using Nmap for quick scans of a network. You send a SYN packet to a host on the attack network your instructor has supplied. In this example, the attack network IP addresses are 136.142.35.137 to 136.142.35.140, but your attack range might be different. Make sure to follow the rules of engagement, and dont perform port scanning on any systems not included in the IP range your instructor gives you.

1. Boot your computer into Linux or launch your Linux VM. Then open a command shell by clicking the Terminal icon on the panel taskbar. Type nmap -h | less and press Enter to see all available Nmap commands. The addition of the less means it will only display 1 screens worth of information at a time. Press the space bar to get the next page. When you see (END) that is the last of the information. Press Cntrl Z to return to the command line window. Your screen should look like Figure 5-2. You can scroll to review the command parameters. Figure 5-2 The Nmap help screen
2. There are a lot of parameters that can be used when scanning with Nmap. Look for the Port Specification and Scan Order section and copy and paste the list of commands in this section below:

Copy and Paste Here: SYN packets are normally generated when a client attempts to start a TCP connection to a server, and the client and server exchange a series of messages, which normally runs like this:

• The client requests a connection by sending a SYN (synchronize) message to the server.
• The server acknowledges this request by sending SYN-ACK back to the client.
• The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and its the foundation for every connection established using the TCP protocol. In the past, attackers could bring down a firewall by sending lots of SYN packets, this is also known as a SYN flood attack. Each SYN packet would use up firewall resources and eventually, it would stop accepting new connections. This can result in a massive business problem now that so many applications are cloud-based and need fast and reliable internet access.

3. To run nmap commands you will need root privilege. These commands need to start with sudo. When running the first command with sudo, you will be asked for the password for kali which in this virtual machine is kali. To send a SYN packet to an IP address in your attack range, type sudo nmap -sS -v 136.142.35.137 and press Enter. Copy and paste (do not screen shot unless the entire results fit in one window) the results of your scan below.
4. Next, try sending a new SYN packet to a different public IP address. Due to DNS (resolving a URL to an IP address) you can use a URL instead of an IP address.
   1. What address did you scan?
   2. Copy and paste the results here
   3. Do you see any differences? If so, list them.
5. Nmap can scan through a range of IP addresses, so entering one IP address at a time isnt necessary. To send a SYN packet to every IP address in your attack range, type sudo nmap -sS -v 136.142.35.137-140 and press Enter. To see the output in a format you can scroll, press the up-arrow key, add the | less option to the end of the Nmap command, and press Enter. The command should look like this:sudo nmap -sS -v 136.142.35.137-140 | less.
6. Next, you will add one more parameter to the Nmap command to determine which computers in your attack range have the SMTP service or HTTP service running. Type: sudo nmap -sS -v -p 80 136.142.35.137 The commands output may vary, but whats important is learning how to build on the Nmap command. You can select specific ports in the Nmap command, so not all 65,000 ports have to be scanned. Copy and paste the output here:
7. Leave the Linux machine open for the next activity.

Activity 5-2 Using Additional Nmap Commands (20 Points)

Objective: Perform more complex port-scanning attacks with Nmap.

Description: In this activity, you continue to use Nmap for port scanning on your attack network. You add to the parameters used in Activity 5-1 using Nmap scripts to discover more information about the remote host. You should practice these commands until they are second nature, but Fyodor developed a well-written help page (called a man page in UNIX/Linux circles) that you can use as a resource. You begin this activity by looking at this help page.

1. If a Terminal window isnt open, boot your Linux computer or VM. Open a Terminal shell, and at the command prompt, type man nmap and press Enter. You can see that this command produces more information that the nmap -h command. Dont be concerned about memorizing the manual; just know its there when you need it.
2. Next, enter the command to send a default script scan to 136.142.35.137 Type nmap -sC -v 136.142.35.137 and press Enter. You can read more about the default scripts included with the default scan setting at https://nmap.org/nsedoc.categories,default.html. What are the results of the script scan?
3. It appears that the host is down. Notice the note at the bottom of the return. Try adding the suggested -Pn before the IP in the same command you just ran. What brand and version of http server is running on port 80 and 443?
4. Now, limit the scope so you only scan 443. This is done by using the -p flag. Type nmap -p443 -v 136.142.35.137 and press Enter. This makes the Nmap scan more targeted and less noticeable. How does this make the scan less noticeable? Place a screen shot here of the last scan you ran.

Activity 5-4 Creating an Executable Script (30 Points)

Objective: Learn to create, save, and run an executable script.

Description: Many hacking tools are written in scripting languages, such as VBScript or JavaScript. In this activity, you create a script that populates a file with a range of IP addresses. This type of file can be used as an input file for Nmap or Fping.

1. If necessary, boot your computer into Linux or start your Linux VM and open a Terminal shell. Type vim Myshell and press Enter.
2. Press i to enter insert mode. If this is your first time using the vim editor, you can find a list of vim commands at https://www.keycdn.com/blog/vim-commands The name vim means vImproved as it builds on the functionality of the older text editor vi. If youve struggled to use vi in the past, vim is much more user friendly.
3. First, type #!/bin/sh and press Enter. This line is important because it identifies the file youre writing as a script. You should enter a few lines of documentation in any scripts or programs you write because they help with program modifications and maintenance done later. When a line is used for documentation purposes, its preceded with a # character. For this exercise comment the following information, each on its own line. It should look something like Figure 5-2:
   1. Student Name
   2. Class
   3. Semester
   4. Date

Figure 5-2

4. Next, type network_id=193.145.85. and press Enter. Be sure to include the quotation marks and the period after 85. (because you will not actually use the script, the address entered wont matter)
5. Type count=0 and press Enter. Youre initializing the count variable to zero, which is always wise because a variable shouldnt be used in a program without having a value set.
6. Figure 5-10 shows more documentation comments added as an example, but skip entering them and move on to entering the program code.
7. You need your script to add the number 1 to the 193.145.85 network ID and continue incrementing and adding numbers to the network ID until the IP address range 193.145.85.1 to 193.145.85.254 is written to a file named ip_address.txt. In programming lingo, this repeated process is called looping. To avoid creating an endless loop, you need to add a condition to the while statement. Type while [$count -le 253] and press Enter. Note the spaces inside the square brackets and pay close attention to the use of quotation marks and dollar signs. It should look like this: while [ $count -le 253 ]
8. Next type do and press Enter. This statement is where the script performs its main task. The action takes place between the do statement and the done statement (added later). First, to increment the count variable by 1, type count$(($count+1)) paying careful attention to the parentheses, and press Enter. The next line is covered in more detail in Module 7. For now, just understand that you can use the printf function to write data to a file. Type printf %s%s #network_id $count>> ip_address.txt and press Enter. The >> characters are used to add each IP address to the end of the ip_address.txt file.
9. Type done and press Enter, and then type exit 0 and press Enter. Figure 5-10 shows the entire script. Save your work by pressing Esc and typing : (a colon). At the : prompt, type wq and press Enter.
10. Now that youve saved your script, you need to make it executable so that you can run it. At the command prompt, type chmod + rwx Myshell and press Enter.
11. To run your script, type ./Myshell and press Enter. The script will run but because your script doesnt create any output on screen, you need to examine the contents of the ip_address.txt file to see whether the script worked.
12. Type cat ip_address.txt. How many IP addresses were created in the ip_address.txt file?
13. Close the command line window and shut down your Kali VM