Fingerprinting is the next step and is intended to identify the software running on the visible hosts. This could be a prelude to auditing them for security vulnerabilities or mapping likely targets for an attack. This assignment uses the popular tool nmap for this purpose. Nmap may be downloaded for your platform from www.insecure.org
The description of nmap from www.insecure.org reads: “Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source (license).”
NOTE: Before downloading, be sure to read the relevant sections for your platform from the Nmap Install Guide. For example, for running Nmap on Windows 7 and newer, you may go to https://nmap.org/download.html#windows and download the latest release self-installer: nmap-6.49BETA4-setup.exe.
In this portion of the assignment, you will use the graphical front-end for nmap, zenmap. Zenmap is installed in the same directory as nmap. Open a command window, navigate to the directory when nmap is installed and type zenmap.
Zenmap defines a series of scan profiles which provide shortcuts for performing the most common types of scans. Note that for each of these profiles, it shows the actual command line that is used to run nmap.
Using the information available at http://insecure.org/nmap/data/nmap.usage.txt interpret the options specified for the nmap command in the default scan. (10)._________________ “Aggressive” is an abbreviation for the shortest delay.
Type the address scanme.insecure.org into the “Target” box and click on “Scan” to begin the nmap scan. Note that one of the first things nmap does is to ping the host to verify it is up.
(11) If the firewall at insecure.org blocked ICMP messages, what nmap option would you use to bypass the host-up check?
Below is a portion of a Wireshark capture of the beginning of the nmap scan.
(12) What technique does nmap use to identify open ports on the host?
Nmap says it is using a “syn stealth” scan – refer to the documentation available at http://insecure.org/nmap/man/man-port-scanning-techniques.html
(13) Why is this scan considered to be “stealthy?”
Interpreting scan results
Download the file Scan.pdf from the course web site – this is the saved output of a nmap scan from a more interesting machine and use it to answer the following.
(14) What software version was nmap able to identify for the ports (not all may have versions)?
(15) What operating system is the host running (general purpose)?
(16) As an attacker, what would be your next step in planning to exploit the information you have gathered?
(17) What type of server does this system appear to be (web, DNS, etc.)?
(18) As a network administrator charged with defending this network, what are some actions you would take in defending this network? Hint: Should all those ports/services be exposed on the Internet?