Exercise 6: Exploring Port Scanning with Nmap

Objective

Learn how to use Nmap to scan for open ports and services on a target machine, and analyze the results for potential vulnerabilities.

Scenario

You are a security analyst tasked with performing a network assessment for a client. Your first step is to identify active services and open ports on a server. This exercise will guide you through using Nmap, a powerful network scanning tool, to detect open ports, running services, and possible vulnerabilities on a target machine.

⚠️ Important: Only perform network scans in a legal and authorized environment. Unauthorized scanning of networks is illegal and unethical.

Lab Instructions

Step 1: Install Nmap

Install Nmap on your system using the package manager:

Linux:

sudo apt update 
sudo apt install nmap -y

macOS (Homebrew):

brew install nmap

Windows: Download and install from https://nmap.org/download.html

Step 2: Perform a Basic Port Scan

Use Nmap to perform a simple scan on the target machine:

nmap <target-ip>

Replace <target-ip> with the IP address of the target machine.

This will scan the most common 1,000 TCP ports.

Step 3: Scan All Ports

Perform a full port scan to check all 65,535 TCP ports:

nmap -p- <target-ip>

Step 4: Perform an Advanced Scan

Use advanced flags to gather more detailed information:

nmap -A <target-ip>

-A enables OS detection, version detection, script scanning, and traceroute.

Run a service and version detection scan:

nmap -sV <target-ip>

-sV probes open ports to determine service/version info.

Use Nmap scripts to detect potential vulnerabilities:

nmap --script vuln <target-ip>

--script vuln runs vulnerability detection scripts.

Step 5: Document Your Findings

• Record the following details:
  • Open Ports: List of detected open ports.
  • Services: Services running on the open ports.
  • Service Versions: Version numbers of detected services.
  • Potential Vulnerabilities: Any vulnerabilities flagged during the scan.

Step 6: Analyze the Results

• Identify which services could be misconfigured or vulnerable.
• Look for outdated software versions that may need updating.
• Recommend appropriate mitigation steps based on the findings.

Solution & Explanation

Basic Scan Results

• Displays open TCP ports and associated services.

Advanced Scan Insights

• OS Detection: Identifies the operating system in use.
• Service Versioning: Reveals software versions, useful for vulnerability checks.
• Vulnerability Detection: Detects known weaknesses through scripted scans.

Example Output (Simplified)

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp   open  http    Apache httpd 2.4.29
443/tcp  open  https   OpenSSL 1.1.1
3306/tcp open  mysql   MySQL 5.7.29

Potential Vulnerabilities

• OpenSSH 7.6: Might have known vulnerabilities if not updated.
• Apache 2.4.29: Check for patches or misconfigurations.

Testing & Verification

• Cross-reference detected service versions with vulnerability databases (e.g., CVE, NVD).
• Re-scan after patching or hardening services to verify mitigation.
• Validate whether unnecessary services are disabled.

Additional Script (Optional)

Automate a comprehensive Nmap scan with this script:

#!/bin/bash
# Comprehensive Nmap Scan
TARGET=$1
if [ -z "$TARGET" ]; then
  echo "Usage: $0 <target-ip>"
  exit 1
fi

# Full TCP port scan with OS detection and vulnerability check
nmap -p- -A --script vuln $TARGET -oN nmap_scan_results.txt

echo "Scan completed. Results saved in nmap_scan_results.txt."

Run the script:

chmod +x nmap_full_scan.sh
sudo ./nmap_full_scan.sh <target-ip>

Conclusion

In this exercise, you used Nmap to perform various scans to discover open ports, running services, and potential vulnerabilities on a target machine. Understanding how to properly use Nmap is crucial for network auditing and vulnerability assessment. By identifying exposed services and analyzing risks, you can help improve the security posture of systems and networks.