CST8230 lab02 - Network Scanning PDF

Preview

Summary

Assignment ...

Description

CST8230

Lab #2

Network Scanning

Objectives  

To learn more about network security scanning tools To learn to recognize certain type of connections for what they are by looking at the packets.

References:  

SANS TCPDump & TCP/IP Reference Guide - http://www.sans.org/resources/tcpip.pdf NMap Reference Guide - http://nmap.org/book/man.html

Lab Deliverables    



You must use the Lab 2 Answer Sheet, available on Blackboard, or create a similar document. Do NOT submit your answers embedded in this document. Only one file per student must be submitted, in PDF format. Answer sheets must be submitted via Blackboard by midnight on Sept 25st, 2016. Most of the lab exercises for this lab can be performed outside the lab. However, be sure to indicate if this is the case in your lab submission, especially when it comes to captured packets.

Background information: You’re going to be using your packet capture abilities in this lab. Take your time, use some patience, and do the job right… or both your captured packets AND answers will not meet the criteria required. N.B.: Screenshots are NOT enough to get full marks in this lab. They may be used to support your answer, but a written answer MUST be provided. The capabilities and tools you will be using in this lab should not be used either on the Algonquin Corporate network or any other network connection without explicit authorization from the network administrator. Otherwise, you risk being mistaken for an attacker on that network!! Procedure: NOTE: Follow these procedures carefully. If at any time you are unsure or are having problems, consult your lab instructor to insure that you are not inadvertently damaging the equipment. Don’t be afraid or embarrassed to have the lab instructor check your work before going on to another step. Remember: You learn more by asking questions than by protecting your ego!  Right, let’s get to it, shall we…

V 1.3.2

May 2, 2021

Page 1 of 6

CST8230

Lab #2

Network Scanning

1. Using TCPDump to capture specific traffic 

This section can be done either under Windows or Kali, but likely easier under Kali. ► Remember, any firewalls need to be turned off for things to work well!!



Now that you’ve gotten a little more comfortable with using TCPDump, let’s put it to good work.



Start up your Kali VM, and a Windows 7 VM. ► They’ll both need to be on the same VMNET   



host-only configuration, on the RED network addresses for Kali Linux: 172.16.8.X [where X = magic #] addresses for Windows 7: 172.16.8.X+100 [where X = magic #]

We’ll be using TCPDump for this lab in both VMs ► TCPDump is pre-installed under Kali, as is Wireshark. ► Windows needs you to install WinDump - https://www.winpcap.org/windump/ This includes the WinPCAP drivers needed to run Windows NICs in promiscuous mode.



For this lab, you will want to run TCPDump on the same machine as NMap, but in a separate terminal/command prompt and against the appropriate interface connecting both VMs.



To capture a session from start to end, you will need to use the specific command: tcpdump –X –i -w telnet.cap [with the interface being the one connected to your victim] ► No, I’m not asking you to decode the hex. Remember, you can use TCPDump (or Wireshark) to do it for you this time around  ► You’ll need to understand how TCP/IP packets and how the Telnet protocol works to be able to properly answer the questions below. The SANS TCPDump & TCP/IP Reference Guide (see link on front page of lab) will help with this. 



You’ll be learning more specifically about this over the next few weeks. The relevant information is on Blackboard: Lecture Sets #2 and #3, and associated materials.

Section C will require you to submit packet captures of your scans for marks. ► Submit ONLY the relevant captured packets for each question with your lab submission, with each individual packet labeled accordingly to show the answer for the question. 

What I mean by labeled accordingly is that you’ve highlighted the relevant portion of the packet for that particular question.



It is not necessary to highlight any packet data represented as hex as part of this lab assignment.

V 1.3.2

May 2, 2021

Page 2 of 6

CST8230

Lab #2

Network Scanning

2. Advanced NMAP skills 

NMap can be installed natively with most Linux distributions today, and there is a Win32 version that has been ported over and is maintained by a separate group of developers. ► Kali ships with NMap already installed. 

You can ensure you have the latest version by running “apt-get upgrade nmap”

► For Windows, the latest Win32 version is nmap-7.01-setup.exe  

The Win32 version is a command line tool, but it also installs ZenMap GUI font-end We’re going to use the command line version in either case.



N.B.: The commands in this section are all based on the Kali command-line nmap. However, you will be expected to know the equivalent command structure in Windows nmap for later use. And you are free to use whichever version you wish for the work in this section.



You should have both a Windows VM AND Kali VM running. ► If you’re using the Windows version of NMap, you would scan against the Kali VM. If you’re using the Kali version of NMap, you would scan against the Windows VM. ► N.B.: The lab is written with Kali as the scanning VM



No TCPDump/Wireshark needed here, just NMap scans and results.



At the command prompt, type in the command “nmap –n –sP localhost”. Q1.



Try “nmap –n –sP ”, where hostIP represents the IP of your Windows VM. Q2.



So what, exactly, does the –sP option do?

Now, type in the command “nmap –n localhost”. Q3.



What kind of information did the nmap scan results show you, specifically?

Was the result the same? If not, what’s different?

Try again with the command “nmap –n –p 1-65535 localhost” Q4.

V 1.3.2

Was the result the same as Q3? Explain why. And, no, timestamp differences don’t count.

May 2, 2021

Page 3 of 6

CST8230

Lab #2



Now try the command “nmap –n ”.



Next, run the command “nmap –n –sS ”. Q5.



Network Scanning

Are there differences in the results between the two above commands? Explain why.

Now run the command “nmap –n –O ”. Q6.

What kind of new information did the results show you?



Now run the command “nmap –n –A ” and compare the results to the previous command.



Experiment with some of the more common nmap command line options to get a feel for the range of capabilities offered by this versatile tool. ► One of the best references for NMap is the author’s own site: https://nmap.org/book/toc.html https://nmap.org/book/man.html



Use the above information, and other online resources, to answer the questions below. Q7.

What do each of -oN, -oX, -oG and –oS command options do?

Q8.

What exactly is an nmap –sT scan? Explain in some detail.

Q9.

What is a SYN Stealth scan? Explain in some detail.

Q10. Describe what a Bounce scan consists of? Q11. What does the “Use Decoy(s)” option do, exactly? Q12. Explain with some detail how NMap interpret & achieve O/S fingerprinting?

V 1.3.2

May 2, 2021

Page 4 of 6

CST8230

Lab #2

Network Scanning

3. Nmap scans and packet capture 

Again, this can be done either under Windows or Kali, but possibly easier under Kali.



We will now do packet captures on specific NMap scans, to be able to observe what the scans actually do/send as packets. ► For each scan you are going to perform, highlight and/or clearly label the required / important information on the TCPDump capture for each scan. ► Submit your TCPDump text output with the lab, properly labeled. ► Don’t just submit your NMap scan results, the marks are for interpreted TCPDump captures… ► For any Nmap generated packets. Label them as such along with source IP:port, destination IP:port, relevant flags that shows you this is the case ► For the target’s response, label which are response packets along with source IP:port, destination IP:port, relevant flags that shows you this is the case



Use the appropriate tcpdump commands to capture the scans below as you run them. ► Use a different filename for each capture session. Make the filename relevant so you can find it again later.



Start by scanning your Windows VM using NMap from Kali, and document a few open and closed ports. ► You’ll need these ports to be there for some the scans you are doing. There are typically a few already opened in Windows, but you can add to that with software (e.g. FTP Server, etc…)



The goal for the scans below is for you to capture the relevant packets that make up the specific NMap scan type you are running. ► In other words, show me you can detect / recognize that said NMap scan is happening on the target system by virtue of the packets you captured on the target.



Think of this as an exercise in capturing packets to help identify what’s going on with your network and/or potentially “attacking/probing” your machine. ► By looking at packet patterns, header information and the payload being carried, it is possible to identify how protocols work OR what’s going on with your network – but it takes practice. ► Wireshark has a repository of pre-made PCAPs you can use to help see the patterns for specific protocols at https://wiki.wireshark.org/SampleCaptures#Sample_Captures

V 1.3.2

May 2, 2021

Page 5 of 6

CST8230 

Lab #2

Network Scanning

TCP scans (turn off ping and O/S detection, scan only a single port) ► Scan an open port on your target with a: Q13. TCP Connect scan Q14. FIN stealth scan Q15. TCP XMAS scan Q16. TCP Null scan ► Scan a closed TCP port on your target with a: Q17. Connect scan Q18. SYN stealth scan



UDP scans Q19. Scan an open port on your target Q20. Scan a closed port on your target

V 1.3.2

May 2, 2021

Page 6 of 6...