NETWORK SCANNING AND ENUMERATION – FULL PRACTICAL LAB NOTES

LAB 3-01: Perform Host Discovery Using Nmap

Scenario

A mid-sized IT organization is strengthening its cybersecurity posture by performing a complete assessment of its internal network. The goal is to identify active hosts, open ports, and running services within the network. The infrastructure consists of Windows servers, Linux systems, database servers, IoT devices, and IPv6-enabled hosts.

Objective

To discover live hosts in a target network using multiple host discovery techniques supported by Nmap.

Tool Used

• Nmap
• Parrot Security OS

Step 1: Gain Root Privileges

Switch to ParrotOS and open the terminal. Run the following command to gain root access:

Step 2: ARP Ping Scan

This command disables port scanning and performs an ARP ping scan. ARP scans are extremely reliable in local networks because they do not rely on firewall rules. If an ARP reply is received, the host is confirmed to be alive.

Step 3: UDP Ping Scan

This scan sends UDP packets to the target host. A UDP response or ICMP error indicates that the host is active. UDP ping is useful when ICMP is blocked.

Step 4: ICMP Echo Ping Scan

This method sends ICMP Echo Requests. If the host responds with an ICMP Echo Reply, it is considered alive.

Step 5: ICMP Echo Ping Sweep

This scan is used to discover multiple active hosts across a subnet. Example:

Step 6: ICMP Timestamp Ping Scan

This scan requests the target system’s time. If a timestamp reply is received, the host is active.

Step 7: ICMP Address Mask Ping Scan

Used when ICMP Echo is blocked. It determines host availability using address mask replies.

Step 8: TCP SYN Ping Scan

This scan sends TCP SYN packets. If an ACK or SYN-ACK response is received, the host is active.

Step 9: TCP ACK Ping Scan

An RST response indicates the host is alive. This method can bypass some firewall rules.

Step 10: IP Protocol Ping Scan

This scan sends packets using multiple IP protocols. Any response confirms host availability.

Conclusion

Using multiple host discovery techniques ensures accurate identification of live systems, even in restrictive firewall environments.

LAB 3-02: Explore Various Network Scanning Techniques Using Nmap

Objective

To identify open ports, services, versions, and firewall behavior using different Nmap scanning techniques.

TCP Connect Scan

Performs a full TCP handshake. This scan is reliable but easily detectable.

Stealth (SYN) Scan

Sends SYN packets without completing the handshake, making it stealthier.

XMAS Scan

Sends packets with FIN, PSH, and URG flags set.

TCP Maimon Scan

Used to bypass certain firewall rules.

ACK Scan

Used to map firewall rules and filtering behavior.

UDP Scan

Identifies open UDP ports. This scan is slow due to UDP behavior.

Service Version Detection

Aggressive Scan

Includes OS detection, service detection, script scanning, and traceroute.

LAB 3-03: Perform OS Discovery Using Nmap Script Engine (NSE)

Aggressive OS Detection

OS Detection Only

SMB OS Discovery Script

Extracts OS name, computer name, domain name, workgroup, NetBIOS name, and system time.

LAB 3-04: Scan Beyond IDS/Firewall Using Evasion Techniques

Packet Fragmentation

Source Port Manipulation

MTU Manipulation

Decoy Scan

MAC Address Spoofing

LAB 3-05: Scan a Target Network Using Metasploit

Initialize Database

Start PostgreSQL

Launch Metasploit

Nmap Scan Inside Metasploit

Import Scan Results

List Hosts

List Services

LAB 3-06: Scan a Target Using ShellGPT

ICMP Scan Using AI

Host Discovery

Nmap Scan via ShellGPT

OS Detection via TTL

Conclusion

AI-assisted tools significantly enhance reconnaissance speed, accuracy, and automation in modern penetration testing environments.

FINAL CONCLUSION

These labs demonstrate professional network reconnaissance techniques used in ethical hacking. Proper authorization is mandatory before conducting any scans. Mastery of these tools allows security professionals to proactively identify vulnerabilities and strengthen network defenses.