(Nmap: Lesson: 2)

{ Nmap Basic Usage }

Section 0: Background Information

NMAP
- Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses. Unlike many simple port scanners that just send packets at some predefined constant rate, Nmap accounts for the network conditions (latency fluctuations, network congestion, the target interference with the scan) during the run.
Prerequisite
- Nmap: Lesson 1: Installing Nmap
Lab Notes
- In this lab we will do the following:
  1. We will use the PENTEST-WXP VM (Attacker) to NMAP scan the Damn Vulnerable WXP-SP2 VM (Victim)
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2012 No content replication of any kind is allowed without express written permission.

Section 1: Power On PENTEST-WXP

Edit Virtual Machine Settings
- Instructions:
  1. Click on PENTEST-WXP
  2. Click on Edit virtual machine
Configure Network Adapter
- Instructions:
  1. Select Network Adapter
  2. Click the radio button "Bridged: Connected directly to the physical network."
  3. Click the Okay button
Start PENTEST-WXP
- Instructions:
  1. Click on PENTEST-WXP
  2. Click on Play virtual machine
Send Ctrl+Alt+Del
- Instructions:
  1. Virtual Machine --> Send Ctrl+Alt+Del
Logging into Damn PENTEST-WXP.
- Instructions:
  1. Username: administrator
  2. Password: Use the Class Password or whatever you set it.
Open a Command Prompt
- Instructions:
  1. Start --> All Programs --> Accessories --> Command Prompt
Obtain PENTEST-WXP's IP Address
- Instructions:
  1. ipconfig
- Note(FYI):
  - This is the IP Address of the Scanning Machine.
  - In my case, PENTEST-WXP's IP Address is 192.168.1.111.
  - Your IP Address will be different.
  - Record your PENTEST-WXP's IP Address.

Section 2: Power On Damn Vulnerable WXP-SP2

Start Up Damn Vulnerable WXP-SP2.
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Click on Edit virtual machine Settings
- Note(FYI):
  - For those of you not part of my class, this is a Windows XP machine running SP2.
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button
Play Virtual Machine
- Instructions:
  1. Click on Damn Vulnerable WXP-SP2
  2. Click on Play virtual machine
Logging into Damn Vulnerable WXP-SP2.
- Instructions:
  1. Username: administrator
  2. Password: Use the Class Password or whatever you set it.
Open a Command Prompt
- Instructions:
  1. Start --> All Programs --> Accessories --> Command Prompt
Obtain Damn Vulnerable WXP-SP2's IP Address
- Instructions:
  1. ipconfig
- Note(FYI):
  - In my case, Damn Vulnerable WXP-SP2's IP Address 192.168.1.116.
  - This is the IP Address of the Victim Machine that will be attacked by Metasploit.
  - Record your Damn Vulnerable WXP-SP2's IP Address.

Section 3: Perform Nmap Quick Scan

Perform NMAP Quick Scan
- Instructions:
  1. Make sure you are on the PENTEST-WXP VM Machine
  2. Start Up NMAP by clicking on your NMAP icon located on your desktop.
Perform a quick scan by doing the following: (See Below).
- Note(FYI):
  - Replace 192.168.1.116 with Damn Vulnerable WXP-SP2's IP Address obtained in (Section 2, Step 6).
- Instructions:
  1. Target: 192.168.1.116
    - You will be using PENTEST-WXP to scan Damn Vulnerable WXP-SP2.
  2. Profile: Select Quick Scan
  3. The Click Scan.
Output Analysis
- Notes(FYI):
  1. Nmap's quick scan displays the following basic network metrics:
    - If the host is up.
    - How many ports are closed.
    - Which ports are open and their service name.
      - e.g., 21 (ftp)
    - Also, the MAC address is display with Nmap's guess of the OS being VMware.
Click on the Ports / Hosts tab
- Instructions:
  1. Click on the Ports/Hosts Tab
- Notes(FYI):
  - This tabs represents all the open ports, protocol, state and service names.
Click on Host Details
- Instructions:
  1. Click on the Host Details Tab
- Notes(FYI):
  - This tab represents the status of the host and its corresponding IP and MAC Addresses information.

Section 4: Nmap Intense Scan

Perform Intense Scan
- Note(FYI):
  - Replace 192.168.1.116 with Damn Vulnerable WXP-SP2's IP Address obtained in (Section 2, Step 6).
- Instructions:
  1. Target: 192.168.1.116
  2. Change Profile to: Intense scan, all TCP ports
  3. Click Scan.
Version Analysis
- Notes(FYI):
  1. Notice the results are more verbose.
  2. The actual version of the service was added to service name.
    - You can use this information to investigate possible exploits.
    - For Example, Microsofts ISS http 5.1 webserver.
Operating System Footprinting Analysis
- Notes(FYI):
  1. The OS details shows us that the actual OS is Windows XP, and it is running SP2.
    - In this case, an attacker might start salivating due to the MS08-067 exploit for SP2.
Host Script Results Analysis
- Notes(FYI):
  - Nmap runs nbstat to determine the NetBIOS name and user.
    - This information could be used for a brute force attack.
  - Notice that SMB is running.
    - The Server Message Block (SMB) Protocol is a network file sharing protocol, and as implemented in Microsoft Windows is known as Microsoft SMB Protocol.
  - SMB Critical Updates
    - Microsoft Security Bulletin MS08-067 – Critical

Section 5: Nmap Network Scan

Subnet Ping Scan
- Instructions:
  1. Change Target to the subnet address of Damn Vulnerable WXP-SP2.
    - In my case, 192.168.1.0/24
    - Notice, that I replaced the last octet of my IP address with a 0.
  2. Change Profile to: Ping Scan
  3. Click Scan
Nmap Output Analysis
- Instructions:
  1. Big Red Arrow #1
    - This displays a list of all the devices that returned an ICMP packet.
    - You can click on each host to get their specific details.
  2. Big Red Arrow #2
    - This displays a general list of all the devices found which includes
      - IP Address
      - MAC Address
      - And guess as to what it is.
Topology Analysis
- Instructions:
  1. Click on the Topology Tab.
  2. Click on Fisheye
    - This will allow you to increase the size of the network picture.
  3. Click on Controls
    - This will allow you to increase the size of the network rings.
- Note(FYI):
  - This will give you a visual representation of how your network is laid out.
  - When presenting a customer or management with a penetration testing analysis, this would be a good picture to throw into the report.

Section 6: Proof of Lab

Open a Command Prompt
- Instructions:
  1. Start --> All Programs --> Accessories --> Command Prompt
Proof of Lab Instruction:
- Note(FYI):
  - Replace 192.168.1.116 with Damn Vulnerable WXP-SP2's IP Address obtained in (Section 2, Step 6).
- Instructions:
  1. nmap -O 192.168.1.116
  2. date /t
  3. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Proof of Lab Instructions:
  1. Press the PrtScn Button on your keyboard
  2. Paste into a word document
  3. Upload to Moodle