Home‎ > ‎CIS 75‎ > ‎

Lab 1 - Port Scanning

Introduction
In this lab we will see how to probe a computer to figure out what services it's running. A service usually is something like a webserver or an SSH server. It's a program that lets Internet users access the computer is some way. All services can be exploited for an attackers gain somehow --though you may not know how. Many services have well known attacks because they are running outdated software. Some services are inherently vulnerable to attack.

Setup
In order to perform this lab you will need an Ubuntu Desktop VM with some software installed on it. First, for those unfamiliar with Ubuntu and Linux, there are many commands I will ask you to run in a shell. I will show them like this:

# command arguments...

The hash sign (#) is there to let you know that you should enter the command at the command prompt. Do not type the hash sign into the terminal. The command starts with the first word. 

How to get a terminal
First, the machine will ask you to login. My VMs have the user account test with the password test. To start a program you can use the "Windows" key or press the swirling icon on the top left hand side of your screen. Type "terminal" into the search box like shown.

You can just press enter at this point and the terminal will start. If that's too much typing you can use the control sequence Ctrl-Alt-T to start a new terminal. Some commands start with 'sudo'. Those are commands that have to be run as root (the administrator account). When you run sudo you may be prompted for the password of the account that's logged in. In most cases it will be 'test'. 

Installing the Port Scanner
The port scanner zenmap is a graphical front-end to the nmap tool. Nmap is the most powerful port scanner on Linux and zenmap makes it fairly easy to use. You can install zenmap on your VM using the following command:

# sudo apt-get install zenmap 

One installed you can launch it like this. Please note that sudo is used to launch zenmap. This is because you must be root to get access to all the features of nmap. 

# sudo zenmap 

Using Zenmap
There are two basic ways you can use zenmap. You can specify a pre-canned "Profile" using the pulldown bar at the top near the right or you can enter nmap options yourself. I want you to do both in this lab. When selecting a profile zenmap will replace all the command arguments between the "nmap" and the name or IP address of the target. When I ask for a custom scan please put the options I ask for there. When you do that the Profile option will go blank telling you that you are using a setting with no matching profile. 

When it's time to save your scans you can save them all at one time. Use the menu to select Scan -> Save All Scans to Directory. Select "File System" in the navigation and double click the "tmp" directory. Use the "Create Folder" button to create a folder called "scans". Once you have the /tmp/scans folder selected save your scans in there. You can save your scans anywhere you like but the instructions will use this directory later. 

Part 1
The following hosts will be your targets
  1. victim.local (172.20.5.227)  <<NEW ADDRESS>>
  2. victim2 (172.20.4.161)
  3. opus

For each of those machines you should perform packet scans with the followign nmap options (note: there may be other options that control nmap that are entered by zenmap):

  1. Use the "Quick Scan" profile in zenmap
  2. -sO (Protocol scan, not a profile in zenmap)
  3. Use the "Intense Scan plus UDP" profile in zenmap
  4. -sX (Xmass scann, not a profile in zenmap)

Turn in:

  • For each host submit the following information
    • What OS is the machine running?
    • What prototcols does the host support?
    • What services (a.k.a. open ports) does the host export? 
    • How long did each scan take?
  • Extra credit
    • Explain why (if any) scan times vary between scans.
    • Explain why (if any) scan times vary between hosts.
    • Submit scan logs of each of your scan attempts

Submitting Scan Logs

If you followed the instructions above your scan logs are in the /tmp/scans folder. There are two ways to zip them, from the GUI, which I showed in class and from the command line. Use the following commands to zip your files on the command line:

# cd /tmp/scans  # or whatever directory you used

# tar -zcvf scans.tar.gz * 

You should now have a file called scans.tar.gz. Please submit that for extra credit.

Grading:

If you have submitted a complete questionaire fore each host, 10 points

(extra credit) If you given a reasonable theory of why times vary (seriously, google it), 3 points

(extra credit) If you have submitted correct log files, 2 points

NOTE: If you have not already submitted your log files and would like to, please use Blackboard. If you have submitted log files using SCP and don't want to redo it, that's okay.

Comments