MODULE -3

Scanning
Networks

NOTE: Shutting down the labs, restart, making modifications to the

software, or performing any updates is strictly prohibited. Doing so
will result in the termination of your lab access
Scanning Networks
Network scanning involves the systematic exploration of a
network to discover active devices, services, and open ports. It
helps identify vulnerabilities, map network layouts, and assess
security risks by examining the network's structure and available
resources. This process aids in understanding the network's
configuration and potential entry points for security evaluations
and maintenance.

Lab objectives –

• Check live systems to identify active devices.

• Determine open ports on these live systems.
• Identify services running on the live systems.
• Perform banner grabbing for service information.
• Conduct OS fingerprinting to identify the operating
system.
• Identify and analyze network vulnerabilities.

Please Note: You have the option to conduct scans on either

'scanme.nmap.org' or a Linux machine with the IP address
192.168.1.117 for the labs. There might be additional IP
addresses presented in the images provided for the scanning
exercises.
LAB -1
Performing Host discovery using Nmap

Step 1. Turn on windows 10 lab machine

Step 2. Open file explorer , click on documents > tools > module 3 scanning
networks > scanning tools > Nmap >
Step 3. Double click the nmap file and follow the installation process as shown
in the image .
Step 4. Now open the nmap app

Step 5. We have installed the nmap GUI which has better interface with more
features
Step 6. In the command field type nmap -sn -PR scanme.nmap.org
-sn disables port scanning and -PR is arp ping scan.

The scan results appears that the target host is up

Step 7. In the command field type nmap -sn -PU scanme.nmap.org

-PU performs udp ping scan
Step 8. Now we will perform icmp echo ping scan in the command field type
nmap -sn -PE scanme.nmap.org
-PE performs icmp echo ping scan

Nmap will send icmp echo request if the host is active it will return with icmp
echo reply.

Step 9. Let’s perform a ping sweep nmap -sn -PE 192.168.1.101-109

Here we are specifying the target range from 101-109
In the given range from 101-109 , there are three devices that are active in the
network .
We have few other ping scan techniques to find the active device in the
network.
nmap -sn -PS scanme.nmap.org
-PS performs tcp syn ping scan ( nmap sends a tcp syn packet , if the target host
responds with ack packet , the target host is active )
nmap -sn -PA scanme.nmap.org
-PA performs tcp ack ping scan ( nmap sends a ack packet to the target system,
if the host responds with reset packet the target host is active.)
nmap -sn -PO scanme.nmap.org
-PO performs ip protocol ping scan

TASK-2 Perform host discovery using angry ip scanner.

Step 1. Turn on windows 10 lab machine

Step 2. Navigate to documents > tools > module 3 scanning networks > ping
sweep tools > angry ip scanner > ipscan-win64-3.6.1

Step 3. Double click the tool and follow the installation process as shown in
the images .

Click next until the terms finished it will close automatically.

Step 4. In the ip range field set 192.168.1.101 – 192.168.1.109 as shown in the
image and click on settings .

Step 5. Open pinging method and choose combined udp +tcp

Step 6. Now click on display option and tick Alive Hosts only, and hit ok.

Step 7. Now click on start button.

Step 8. After scanning is completed , a scan statistics wizard will appear, the
total number of hosts alive is 1.

Step 9. The result of the scan appears with name of the host and the ip address
of the alive host.
TASK-3 Perform port and service discovery using nmap.

Step 1. Log into the windows 10 lab machine

Step 2. Open nmap tool

Step 3. In the command field type nmap -sT scanme.nmap.org

-sT performs tcp full open scan , tcp connect scan completes a three way
handshake with the target host , the nmap sends a syn packet and the host
responds with syn+ack in turn nmap sends out the ack packet.

Click on ports/Hosts to display the open ports in the target host.

Step 4. In the command field type nmap -sS scanme.nmap.org
-sS performs half open / stealth scan , where nmap does not send a ack scan
thus this results the connection half open without completing a handshake.
Step 5. In the command field type nmap -sX scanme.nmap.org
-sX performs a xmas scan, xmas scan is combined with fin, push and urg
packets if the target port is open it will not give any response if the target port
is closed it will reply with rst packet.

Step 6. In the command field type nmap -sA scanme.nmap.org

-sA performs ack scan
The ack scan sends a ack packet to the target , no response states that
port is filtered ( stateful firewall is present ) if a reset packet means the
port is not filtered .

Step 7. In the command field type nmap -sU scanme.nmap.org

-sU performs a udp scan. The scan will take few min longer than other
scans

In udp scan nmap sends a udp packet instead of tcp , so there will be no
threeway handshake . if no response from the target means the port is
open if a icmp host unreachable message is received the port is closed.
Step 8. In the zenmap application we have different types of scan
techniques

Step 9. Other scan techniques

nmap -sI scanme.nmap.org (idle scan)

nmap -sY scanme.nmap.org (sctp init scan)

nmap -sZ scanme.nmap.org (sctp echo scan)

step 10. In the command field type nmap -A scanme.nmap.org

-A performs aggressive scan , it performs operating system detection ,
version detection , script scan , and finds the traceroute.

TASK-4 Explore various scan techniques using hping3 tool.

Step 1. Log into the parrot os

Step 2. Run as root

sudo su
Step 3. In the terminal type hping3 -A 192.168.1.117 -p 80 -c 5

In this command -A specifies ack scan -p 80 specifies that the port to be

scanned and -c specifies packet count

This result specifies that the number of packets send and received that
the port 80 is open .
Step 4. hping3 -8 0-100 -S 192.168.1.117

Here -8 specifies a scan mode 0-100 specifies ports to be scanned and -S

is syn scan

Step 5. In the terminal type hping3 --scan 0-100 -S 192.168.1.117

--scan specifies the port range to be scan and 0-100 specifies the range
of port and -S is syn scan
LAB -2
Performing OS discovery using Active and
passive banner grabbing.

Passive Banner Grabbing: Involves collecting publicly available

information without directly interacting with the target system. This
method doesn't send requests or probes but rather relies on already
accessible data, such as information visible in network packets or
headers.

Active Banner Grabbing: Involves sending direct requests to the target

system's services or ports to retrieve banners or information. This
method actively interacts with the system, potentially leaving logs and
generating network traffic.

Operating system Time to live Tcp window size

Linux (2.4 and 2.6) 64 5840

Windows 2000 128 16384

Windows 7, windows 128 8192

server 2008
Google Linux 64 5720

Windows 95 32 8192

TASK-1 identify the target operating system using ttl -time

to live .
Step 1. Log into the windows 10 lab machine.

Step 2. Open command promt.

Step 3. ping 192.168.1.117

The TTL value is recorded as 64 that means the icmp reply possibly came
from the operating system is LINUX

Step 4. ping 192.168.1.103

The TTL value is recorded as 128 that means the icmp reply possibly
came from the operating system is Windows.

TASK-2 identify the target operating system using nmap

scripting engine (nse).

Step 1. Log into windows-10 lab machine.

Step 2. Double click the zenmap file
Step 3. In the command field type nmap -A 192.168.1.117

As you can see the result appears that the target operating system is linux
step 4. nmap -A 192.168.1.103

This result indicates that the target operating system is windows

Step 5. nmap -O 192.168.1.117

-O for operating system scan
TASK-3 scan beyond the firewalls and ids ( intrusion
detection system).

Fragmentation: Breaking packets into smaller fragments to evade detection by IDS, as some
systems may not inspect fragmented packets comprehensively.

Source Port Manipulation: Source port manipulation involves altering the source port
number in outgoing network packets. This technique is employed to bypass firewall
restrictions or intrusion detection systems (IDS) that rely on port-based filtering.

IP Address Decoy: IP address decoy involves deploying additional or fake IP addresses

within a network to divert or confuse potential attackers. These decoy addresses are not
associated with real systems or services but are strategically placed to attract and deflect
malicious activity away from critical resources.
Step 1. nmap -f 192.168.1.117

Where -f for fragmentation it splits the packets into tiny smaller packets
to evade detection of firewalls.

Technique: generally packet fragmentation splits packets into smaller

packets when this packets reach the target ids or firewalls they will make
all these packets into queue and send them one by one but this require
greater cpu consumption and network resources thus ids or firewalls will
make it skip these type of packets during port scans.

Step 2. nmap -g 80 192.168.1.117

-g is for source port manipulation

Source port manipulation refers to manipulating actual port numbers

with common port numbers to evade ids or firewalls this is useful when
the firewalls or ids are restricted to allow outside traffic on port 80, or
http, dns , https etc.
Step 3. nmap -mtu 8 192.168.1.117
-mtu specifies number of maximum transmission unit ( here 8 bytes per
packet) , using mtu smaller packets are sent to the target system instead
of complete packet at a time, this will evade intrusion detection or
filtering mechanisms enabled in the target system.
Step 4 . nmap -D RND:10 192.168.1.117

Where -D performs a decoy scan and RND specifies a random non

reserverd ip address

Decoy scan performs generating a random or manually specifying the ip

address of the decoys to evade ids or firewalls. this technique makes it
difficult for the ids or firewalls to figure out which ip address was actually
scanning the network and which ip address were decoys.

TASK-4 create custom packets using nmap to scan beyond

the ids/firewalls.

Step 1. nmap 192.168.1.117 --data 0xdeadbeef

--data 0xdeadbeef specifies to send the binary data (0’s and 1’s ) as payloads in
the send packets to scan beyond the firewalls
Step 2. nmap 192.168.1.117 --data-string “random data”
here –data-string “random data” specifies that to send a regular string as
payloads in the sent packets to evade ids/firewalls , you can choose any
random string .
Step 3. nmap –data-length 5 192.168.1.117
--data-length 5 specifies to append number of random data bytes to most of
the packets sent without any protocol specific payloads.

Important Note: Upon completing the labs, ensure to log

out or close them. For guidance on the proper shutdown
process, refer to the final slides of Module 2.