Home‎ > ‎CIS 75‎ > ‎

Project 3: Network Mapping with Nmap

In this lab you'll use Nmap from two places on the network to expose and understand the attack surface of the CIS network. 


Nmap is a tool that finds hosts in an IP address range then scans and identifies them. Nmap runs on Window, Mac and Linux. In order to do this lab you must first download it from here: 

IMPORTANT: As I discussed in class using Nmap at work could be considered a violation of your company's acceptable use policy and may get you in trouble. You should do this lab at home or someplace where your port scanning will not be perceived as a threat. 

Part 1: Barbarians at the Gate

You must do this part from outside of the CIS network (the CTC is okay). Use dig (Linux and Mac) or nslookup (Windows) to discover the IP address of the following hosts: 
  1. opus.cis.cabrillo.edu
  2. vcenter.cis.cabrillo.edu
  3. pengo.cis.cabrillo.edu
  4. jeff.cis.cabrillo.edu
  5. matera.cis.cabrillo.edu
On the Mac/Linux command line run this command for each host: 

dig opus.cis.cabrillo.edu 

On the Windows DOS prompt run this command for each host: 

nslookup opus.cis.cabrillo.edu

Note each of the IP addresses. You will turn them in with your report. You will notice that all of the IP addresses are clustered near each other. They are all on this network:

Use Nmap or Zenmap

Now you will look for any hosts you didn't know about using Nmap (or the GUI-based Zenmap). Nmap requires you to be a privileged user to do the most stealthy types of scan. But there's no need for stealth, you can do most of the important work as a regular user. If you're using Zenmap you should select the following options: 
  • Target:
  • Profile: Intense scan, no ping
If you wish to go all command line that means you run Nmap like this: 

$ nmap -T4 -A -v -oN external_scan.txt -Pn

Document your findings:
  1. Save Nmap's output and submit it with your assignment (if you used the command line above the output will be in external_scan.txt).
  2. List the IP address and hostname (if possible) for every host you find on the network. 
  3. Record what operating system the host is probably running
  4. List the open ports on each host. 
You report will be graded on completeness. You should find and correctly list every possible host without missing any. 

Part 2: Making a Pivot

When an attacker successfully breaks into your network they have much greater access. That's because most firewalls are tuned to protect against threats from the internet and are less able to defend from internal threats. In this part you will use your (legal and valid) access to opus to perform another scan. You will scan the network from inside. First you must have access to Opus. If you don't know how to do that check my help page here: 

There aren't enough IPv4 addresses for the world. So we use NAT on the CIS network. That means that Opus has a different internal and external IP address. You can discover Opus' IP address using the command: 

$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:56:83:0E:CC  
          inet addr:  Bcast:  Mask:
          inet6 addr: 2607:f380:80f:f425:250:56ff:fe83:ecc/64 Scope:Global
          inet6 addr: fe80::250:56ff:fe83:ecc/64 Scope:Link
          inet6 addr: 2607:f380:80f:f425::230/64 Scope:Global
          RX packets:190446496 errors:0 dropped:0 overruns:0 frame:0
          TX packets:183315449 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:35368591066 (32.9 GiB)  TX bytes:136876108637 (127.4 GiB)

The output shows that Opus has the IP address:

On Opus scan the internal IP network using the Nmap command:

nmap -T4 -A -v -Pn -oN pivot_scan.txt

It will take several minutes. Be patient. The output of the scan will be long the command above saves the scan output in a file called pivot_scan.txt. Once the scan is complete search the output and list the same information as you did in part 1:
  1. Submit pivot_scan.txt with your assignment.
  2. List the IP address and hostname (if possible) for every host you find on the network. 
  3. Record what operating system the host is probably running
  4. List the open ports on each host. 
Answer the following questions:
  1. Did you find any hosts when scanning from Opus that you didn't find in the external scan? 
    1. List them.
  2. On the hosts you found in both your external/internal scan was there any difference in the open ports you saw? 
    1. What were they?
Turn In
  1. Your host list from Part 1 
  2. Your host list from Part 2 
  3. Answers to the questions in Part 2 
Submit your homework on Canvas.


The project total is 100 points. Your grade will be based on the criteria: 
  • 40 points -- correctness 
    • You must list every host 
    • You must list the OS and open ports of every host 
  • 30 points -- presentation 
    • Your report should be human readable and clear (as in a Word document)
    • Nmap output will not be considered human-readable 
  • 20 points -- completion
    • You should have saved scans from both part 1 and part 2