Network Scanning and Enumeration

Objectives: Network Scanning and Enumeration

Network Scanning and Enumeration Labs Notes

Network Scanning and Enumeration Labs Notes

These notes cover host discovery, port scanning, OS detection, firewall evasion, and penetration testing using Nmap, Metasploit, and ShellGPT.

Key Terms

  • Nmap: Network Mapper, a tool used for network discovery and security auditing.
  • Host Discovery: Finding live devices on a network. Analogy: Like checking which houses in a street have their lights on.
  • Port: Communication endpoints on devices. Analogy: Like doors of a house; some open, some locked.
  • Service: Software listening on a port (e.g., HTTP, FTP).
  • OS Detection: Determining which operating system is running on a device.
  • Firewall: Network security system controlling traffic. Analogy: Like a security guard checking visitors at a gate.
  • IDS: Intrusion Detection System that detects suspicious activities on a network.
  • Enumeration: Gathering detailed information from hosts (ports, services, OS, users).

Lab 3-01: Host Discovery using Nmap

Commands & Explanations

sudo su

Switch to root user. Analogy: Like getting full administrator access to the building.

nmap -sn -PR [Target IP Address]

ARP ping scan to check if host is alive. ARP requests are sent, host replies if active. Example: Checking if your neighbor is home by knocking on their door.

nmap -sn -PU [Target IP Address]

UDP ping scan to identify active hosts. Returns response if host alive. Example: Sending a text to see if someone responds.

nmap -sn -PE [Target IP Address]

ICMP ECHO ping scan. Host replies if alive. Example: Like calling a friend to see if they answer the phone.

nmap -sn -PE [Target Range of IP Addresses]

ICMP ECHO ping sweep on multiple hosts. Example: Checking multiple houses on a street for lights on.

nmap -sn -PP [Target IP Address]

ICMP timestamp ping scan to get host time. Example: Asking someone for the current time at their location.

nmap -sn -PM [Target IP Address]

ICMP address mask ping scan. Useful if ICMP ECHO is blocked.

nmap -sn -PS [Target IP Address]

TCP SYN ping scan. Sends SYN packet, ACK response means host alive. Analogy: Tapping the door lightly to see if someone responds.

nmap -sn -PA [Target IP Address]

TCP ACK ping scan. RST response indicates active host.

nmap -sn -PO [Target IP Address]

IP Protocol ping scan using various protocols.

Lab 3-02: Network Scanning Techniques using Nmap

Commands & Explanations

nmap -sT -v [Target IP Address]

TCP connect/full open scan. Verbose output shows all hosts and ports. Analogy: Fully opening the doors to see which rooms are accessible.

nmap -sS -v [Target IP Address]

Stealth/TCP half-open scan. Avoids full connection. Analogy: Peeking through the door without entering fully.

nmap -sX -v [Target IP Address]

XMAS scan (FIN, PSH, URG flags). Can bypass firewall detection.

nmap -sM -v [Target IP Address]

TCP Maimon scan. Checks port filtering by firewall.

nmap -sA -v [Target IP Address]

ACK flag probe scan. Detects filtered ports.

nmap -sU -v [Target IP Address]

UDP scan. Checks UDP ports. Takes longer than TCP.

nmap -sV [Target IP Address]

Service version detection. Finds software versions on open ports.

nmap -A [Target Subnet]

Aggressive scan. Detects OS, service versions, scripts, and traceroute.

nmap -sN / -sY / -sZ [Target IP Address]

NULL scan (-sN), SCTP INIT scan (-sY), COOKIE-ECHO scan (-sZ). Used to bypass firewall detection.

Lab 3-03: OS Discovery using NSE

nmap -A [Target IP Address]

Aggressive scan. Detects OS, services, ports.

nmap -O [Target IP Address]

OS discovery. Finds the operating system.

nmap --script smb-os-discovery.nse [Target IP Address]

SMB-based OS discovery. Detects OS, hostname, domain, NetBIOS name.

Lab 3-04: Evasion Techniques

nmap -f [Target IP Address]

Fragment packets. Avoids IDS detection. Analogy: Sending letters in small pieces to avoid detection by security.

nmap -g 80 [Target IP Address]

Set source port to 80 (HTTP). Can bypass firewalls restricting certain ports.

nmap -mtu 8 [Target IP Address]

Set MTU to 8 bytes. Fragment packets to bypass detection.

nmap -D RND:10 [Target IP Address]

Decoy scan. Sends traffic from 10 random IPs to hide real source.

nmap -sT -Pn --spoof-mac 0 [Target IP Address]

Spoof MAC, skip host discovery, TCP connect scan. Avoid detection.

Lab 3-05: Metasploit Scanning

msfdb init
service postgresql start
msfconsole
db_status
nmap -Pn -sS -A -oX Test 192.168.2.0/24
db_import Test
hosts
services
search portscan
use auxiliary/scanner/portscan/syn
set PORTS 80
set RHOSTS target_IP
set THREADS 5
run

Explanation: Initializes database, scans subnet using Nmap via Metasploit, discovers hosts and services, then uses portscan module to scan specific ports.

Lab 3-06: ShellGPT Scanning

sgpt --chat scan --shell "Use Hping3 to perform ICMP scanning on the target IP address 10.0.2.20 and stop after 10 iterations"
sgpt --chat scan --shell "Run a hping3 ACK scan on port 80 of target IP 10.0.2.20"
sgpt --chat scan --shell "Scan the target network 10.0.2.0/24 for active hosts and place only the IP addresses into a file scan1.txt"
pluma scan1.txt
sgpt --chat scan --shell "Run a fast but comprehensive Nmap scan against scan1.txt with low verbosity and write the results to scan2.txt"
pluma scan2.txt

Explanation: Uses AI-powered ShellGPT to automate host discovery, port scanning, OS detection, and service enumeration.

Comparison Table of Enumeration Techniques

Technique Tool/Command Purpose Analogy
ARP Ping nmap -sn -PR Finds live hosts in LAN Knocking on doors to see who's home
ICMP ECHO nmap -sn -PE Ping sweep for active hosts Calling a friend to check availability
TCP SYN nmap -sn -PS Detect hosts via SYN packets Lightly tapping a door
TCP Connect nmap -sT Full TCP port scan Fully opening the door
UDP Scan nmap -sU Find open UDP ports Knocking silently on service doors
OS Discovery nmap -O / smb-os-discovery.nse Identify target OS Checking what kind of building is inside
Evasion Techniques nmap -f / -D / --spoof-mac Bypass firewall/IDS Disguising identity to enter a building
Metasploit Scan use auxiliary/scanner/portscan Port & service enumeration Professional survey of rooms and doors
ShellGPT sgpt --chat scan --shell Automated AI-based scanning Robot assistant checking all doors & services

Review Questions & Answers

  1. What is host discovery and why is it important?
    Answer: Host discovery identifies live devices in a network. It's important to know which devices are active before scanning ports. Analogy: Checking which houses are occupied on a street.
  2. Explain the difference between TCP SYN scan and TCP Connect scan.
    Answer: TCP SYN (-sS) is stealthy and does not complete the handshake, avoiding detection. TCP Connect (-sT) completes full handshake, easier to detect. Analogy: Peeking through a door vs fully opening it.
  3. What is the role of UDP scanning?
    Answer: Detects open UDP ports often used by services like DNS. Analogy: Sending silent messages to check for activity.
  4. Explain ICMP ECHO ping sweep.
    Answer: Sends ICMP packets to multiple hosts to find which are alive. Analogy: Calling multiple friends to see who answers.
  5. Why is OS detection important in penetration testing?
    Answer: Helps identify possible exploits and tailor attacks. Analogy: Knowing the type of lock to pick.
  6. What is a Null scan?
    Answer: TCP packet without flags set; can bypass some firewalls. Analogy: Slipping in undetected without knocking.
  7. Describe the purpose of Metasploit scanning modules.
    Answer: Automates vulnerability discovery, identifies open ports, services, and potential exploits.
  8. How do evasion techniques help?
    Answer: Bypass IDS/firewall detection using fragmentation, decoys, spoofed MAC/IP.
  9. Explain the difference between ARP ping and ICMP ping.
    Answer: ARP ping works only in LAN; ICMP ping works across networks.
  10. Why use ShellGPT in scanning?
    Answer: Automates network scanning with AI, speeds up discovery, and provides structured results.

Reference Book: N/A

Author name: SIR H.A.Mwala Work email: biasharaboraofficials@gmail.com
#MWALA_LEARN Powered by MwalaJS #https://mwalajs.biasharabora.com
#https://educenter.biasharabora.com

:: 1::