Lab 2 - Port and Service Discovery

Module 03 - Scanning Networks
Perform Port and Service Discovery

Port and service discovery is the process of identifying open ports and services running on the
target IP addresses/active hosts.
Lab Scenario
As a professional ethical hacker or a pen tester, the next step after discovering active hosts in
the target network is to scan for open ports and services running on the target IP addresses in
the target network. This discovery of open ports and services can be performed via various port
scanning tools and techniques.
Lab Objectives
= Perform port and service discovery using MegaPing
= Perform port and service discovery using NetScanTools Pro
= Perform port scanning using sx tool
= Explore various network scanning techniques using Nmap
= Explore various network scanning techniques using Hping3
Lab Environment
To carry out this lab, you need:
= Windows 11 virtual machine
= Windows Server 2022 virtual machine
= Windows Server 2019 virtual machine
= Parrot Security virtual machine
= Ubuntu virtual machine
= Android virtual machine
= Web browsers with an Internet connection
= Administrator privileges to run the tools
Lab Duration
Time: 45 Minutes
CEH Lab Manual Page 230 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Overview of Port and Service Discovery

Port scanning techniques are categorized according to the type of protocol used for
communication within the network.
= TCP Scanning
© Open TCP scanning methods (TCP connect/full open scan)

o Stealth TCP scanning methods (Half-open Scan, Inverse TCP Flag Scan, ACK flag
probe scan, third party and spoofed TCP scanning methods)
= UDP Scanning
= SCTP Scanning
o SCTP INIT Scanning
o SCTP COOKIE/ECHO Scanning

= SSDP and List Scanning
= IPv6 Scanning
Lab Tasks
Task 1: Perform Port and Service Discovery using MegaPing
MegaPing is a toolkit that provides essential utilities for Information System specialists, system
administrators, IT solution providers, and individuals. It is used to detect live hosts and open
ports of the system in the network, and can scan your entire network and provide information
such as open shared resources, open ports, services/drivers active on the computer, key
registry entries, users and groups, trusted domains, printers, etc. You can also perform various
network troubleshooting activities with the help of integrated network utilities such as DNS
lookup name, DNS list hosts, Finger, host monitor, IP scanner, NetBIOS scanner, ping, port
scanner, share scanner, traceroute, and Whois.
Here, we will use the MegaPing tool to scan for open ports and services running on the target
range of IP addresses.
1. Before beginning this task, turn on the Windows 11, Windows Server 2022, Windows
Server 2019, Ubuntu, Parrot Security, and Android virtual machines.
2. Switch to the Windows 11 virtual machine. By default, Admin user profile is selected,
type Pa$$wOrd in the Password field and press Enter to login.
Note: If Welcome to Windows wizard appears, click Continue and in Sign in with
Microsoft wizard, click Cancel.
Note: Networks screen appears, click Yes to allow your PC to be discoverable by other
PCs and devices on the network.
3. Navigate to €:\CEH-Tools\CEHvi2 Module 03 Scanning Networks\Scanning
Tools\MegaPing and double-click megaping_setup.exe.
Note: If a User Account Control pop-up appears, click Yes.

4. The MegaPing - InstallShield Wizard window appears; click Next and follow the wizard-
driven installation steps to install MegaPing.
5. After the completion of the installation, click on the Launch the program checkbox and
click Finish.
NN sot~ = View
‘DE CEHVI2 Module08 Scanning Networks » Scanning Tools » MegePing

a Downloads # Name Date modified
Documents # ‘megaping. "W MegaPing- InstallShield Wizard
Wy Pictures # InstallShield Wizard Completed
O Music
El Videos The Instalshield Ward has successfuly nataled MegaPing,
(Gk Fingh to ext the wizard,
> @ OneDrive-Perso
Wtisec @ Launch the program
> lll Desktop Ci show the readme fle
Documents
& Downloads
© Music
BR Pictures
Ed Videos
Be Local isk (C)
> = New Volume(E
> Wa Network
item Litem selected. 4.34. MB
6. The About MegaPing window appears; click the | Agree button.
MegaPing 4.9 Copyright® Magneto Software 2022
THANK YOU FOR TRYING MEGAPING
stéfed version does not display this noti

i this program, please visit Magneto S
CEH Lab Manual Page 232 Ethical Hacking and Countermeasures Copyright © by EC-Council
7. The MegaPing (Unregistered) GUI appears displaying the System Info, as shown in the
screenshot.
View Tec Help =

ASBARY BOB THUY B®
“BONS List Hosts Bhven ey
(3. ONS Lookup Neme
Bi Finger
8 Network Time Y Comections (BJ statstcs J" Irterfces FIP Routng «i ARP
#8 Ping ™
the Teceroute Procol PID Local Adcbess Remote Adress ‘Sisie
Woks ale 35 ports 17 connections 09:08:39
£5) Neework Resources oy i 0000135 canes USTENING
® Process into oy 133 anos. cnaeo UstENING
BY sytem i] boy 39 rie on00330 noe USTENNG
4B IP Scanner 500 1852 0..0.0:5040 09000 USTENING
NetBi05 Scanner oy a 3586 comes aon00 LUSTENING
Share Scanner Gi 23004 872 00.0.049664 oanoo USTENING
3 Secunty Scanner oa 49665 720 000049665 00000 USTENING
Port Scanner ea a06 1718 000.045665 oanos USTENING
Bi} Host Monitor 49667 2372 0.00.049667 00000 LUSTENING
782 onon4966a oanns USTENING
3075 0.0.0.049669 00009 USTENING
840 000049670 00000 USTENING
3590 090049673 onnno USTENING
3886 127.00.149696 17700.149607 ESTABUSHED
3556 127.00.149687 127.00.149696 ESTABUSHED
3556 127.00.149704 12700.44575 ESTABLISHED
3556 1270.0.148705 1270014974 ESTABLISHED
53492 10.10.1.1149788 72213912980 (CLOSE.WAIT
0 0,101.1 149829 anaes TIME wast
82 10.30.1.1189682 52226.139.121483, ESTABUSHED
0 0,101.1149696 108.177.122.988 TIME WAT
0 1010,1.11549907 13.2648 683 TNE WAT
s3ee 1,101.1149935 2054se 15208 ESTABUSHED
#508 1,10.1.149038 210107282483 ESTABLISHED
#306 1.101.1149999 Dagens ESTABLISHED
2us2 1010.1 1ha9a4 222613012188 ESTABUSHED
8. Select the IP Scanner option from the left pane. In the IP Scanner tab in the right-hand
pane, enter the IP range in the From and To fields; in this lab, the IP range is 10.10.1.5
to 10.10.1.20; then, click Start.
WegaPing Unregistered)
File View Tools Help
B25 0h o|S S/T SVS Y\ 0/9
“3, DNS List Hosts
' DNsLockup Name
G Finger
Network Time
#2 Ping
3 Teoceroute
& Whols
Network Resources
® Process Info
Stem info
& P Scanner
WB Net9105 Scanner
Share Scanner
Hest Monitor
CEH Lab Manual Page 233 Ethical Hacking and Countermeasures Copyright © by E6-COl
9. MegaPing lists all IP addresses under the specified target range with their TTL value,
Status (dead or alive), and statistics of the dead and alive hosts, as shown in the
screenshot.
eRegaPIng TURTegHROTeS
le View Took Help
ASUARY DOS CHVIY B®
DNS List Hosts
Pocicccstime
B Foe
| gorse
By Network Time
a Ping
fy Toceroute
Wok
1B Network Resources
®Processinfo
Bi Sytem info
BB Scanner
NeBi0S Scanner Bw.
Share Scanner Broo.
security Scanner B woos
J Pon Scanner Broiois
BB Host Monitor B10101.10
) ia0..12 panier
B ro10.s Fase sory
gw or..16 bok
1001.17 beanies
B woos ren
10101.20 Deareet
Broi01s hoes iasaree
iot018 ana
101017 saselerey
wis ee
Doster
10. Select the Port Scanner option from the left-hand pane. In the Port Scanner tab in the
right-hand pane, enter the IP address of the Windows Server 2022 (10.10.1.22) machine
into the Destination Address List field and click Add.
WegaPing Unregistered)
ile View Tools Help
22 399aa S| 2O3\c SV Sy \g\9
“RDS LtHoate
' DNsLockup Name
G Finger
Network Time Pot Seamer
#2 Ping
4 Toceroute Destraton
Z wnots ra0122
Network Resources Destaton Adress Ust
® Process nfo 10101124
System Info
& IP Scanner
Net3105 Scanner
share Scanner
@ Securty Scanner
J Port Scanner
By Hest Monitor
11. Select the 10.10.1.22 checkbox and click the Start button to start listening to the traffic
on 10.10.1.22.
Wegating (Unregisered)
File View Tools Help
22 99aa S| 2O3/t
SV oy \y\9
“RDS LstHoate
' DNsLockup Name
G Finger
Network Time Y Post Scanner
fa Ping
i Toceroute Destraton
SB Whole ros0122
BY Network Resources Destnaion Adress Ust
® Process nfo wo10122
) ‘System Info tet
IP Scanner
W Nets105 Scanner B8n012
share Scanner
@ Securty Scanner
¥ Port Scanner
BI Host Monitor
12. MegaPing lists the ports associated with Windows Server 2022 (10.10.1.22), with
detailed information on port number and type, service running on the port along with
the description, and associated risk, as shown in the screenshot. Using this information
attackers can penetrate the target network and compromise it, to launch attacks.
File View Too Hep ee

BA Sdahs 293 tH29) Bo
“BONS Lit Hosts —
ONS Lootup Name
D Finger
£B) Network Time
#4 Ping
Traceroute
S vos 1010122
B Newor Resources Desaton Aas Lat
I Process nfo 1a10122
Bi System info
A 'P Scanner bes!
{ NetB105 Scanner BBw12
Share Scanner
@ Security Scanner
19 Port Scanner
B) Host Montor
Desorption
Scanning.
‘Scan Complete
Open Ports Found: 12
domain Domain Name Server
wert World Wide Web HTTP
kerberor Kerberos
loc-sr Location Service
netbios-ssn NETBIOS Session Service
dap Lightweight Directory Access Protocol
microsoft-de ——Microsoft-DS
keassad Kerberos “passvd
Idaps LDAP over SSL
aephyr-ct Zephyr ser-hm connection
eklogin Kerberos encrypted sogin
mardp Microsoft Remote Display (Terminal) P..
$52 AM
@OuOBC@eez ~ 3% 22020
13. Similarly, you can perform port and service scanning on other target machines.
14. This concludes the demonstration of discovering open ports and services running on the
target IP address using MegaPing.
15. Close all open windows and document all the acquired information.
Task 2: Perform Port and Service Discovery using NetScanTools Pro
NetScanTools Pro is an integrated collection of utilities that gathers information on the Internet
and troubleshoots networks for Network Professionals. With the available tools, you can
research |IPv4/IPv6 addresses, hostnames, domain names, e-mail addresses, and URLs on the
target network.
Here, we will use the NetScanTools Pro tool to discover open ports and services running on the
target range of IP addresses.
1. Ensure that the virtual machines (Windows Server 2022, Windows Server 2019,
Ubuntu, Parrot Security, and Android) are running.
2. In the Windows 11 machine, navigate to E:\CEH-Tools\CEHv12 Module 03 Scanning
Networks\Scanning Tools\NetScanTools Pro and double-click nstp11demo.exe.
3. The Setup - NetScanTools Pro Demo window appears, click Next and follow the wizard-
driven installation steps to install NetScanTools Pro.
Note: If a WinPcap 4.1.3 Setup pop-up appears, click Cancel.
rT 5 7
@ new x a Q@ & WD Wsor = View
< ‘> TE Scanning Tools » NetScanToolePro 7 earch NetScanTe

im Desitop | # Name i Date modified Type
& Downloads # @ netptideme
stp & {Be Setup - NetScanToots Pro Demo - x £
BH Documents # © Version 1] Welcome to the NetScanTools Pro
WR Pictures =a % Demo Setup Wizard
© Music i . ‘The
pbetirkstal NetScanToole Pro Demo 11,93 0n your
a Videos oS $
ante
tis recommended that you dose all other appicatons before
© Onedive= Paso a 8 (ck Next to continue, o Cancel o ext Sein.

a 5
. a This PC 2oO 3
ba)
il Desktop S =
o s
BY Documents 9 =
@ DEMO
& Downloads Z__wewwnetscantootscom
e Muzic CREST) — (coe
WR Pictures
{Bh Videos
Local Disk (C2)
> = New Volume

Network
4. In the Completing the NetScanTools Pro Demo Setup Wizard, ensure that Launch
NetScanTools Pro Demo is checked and click Finish.
BS « Scanning Tools > NetScantoolsPro are) Search NetScanTools Pro

Wi Desktop # Name Date modified
AL Downloads ¢ , net ideme we Setup -NetScanToots Pro Demo -
i Documents # © Version 1] Completing the NetScanTools Pro
BS Demo Setup Wizard
%
Pictures # oa
© Music a ‘Setup has fished instaling NetScaTools Pro Demo on your
;
Computer. The application may be launched by selecting the
instaledshortuts.
Ed Videos Click nish to ent Setup
> @ Onedrive- Perso <2 DW lanciiieseantoseie
#8
ec8
:;
¥ Withieec
Ml Desktop =5
S
> {Documents ba}© DEMO
> Downloads = vwwewnetscantoosscom
> @ Music
WR Pictures
> Ed Videos
Local Disk (C2)
> = New VolumeE
5. The Reminder window appears; if you are using a demo version of NetScanTools Pro,
click the Start the DEMO button.
Remi
Thank you for trying the NetScanTools Pro v11 DEMO. This application is 99% functional with this remaining
1%. Limits in the demo:
1. no saving results.
2. the history database does not retain reports between sessions.
3. Packet Generator source IP address must be your computer's IP (fill version allows any source IP).
4. the RFC libraryis smaller to save download size
5. The PDF manual is not inchuded to save download size. Available upon request.
Please review the informational popups for each tool.
Press Buy Full Version Now below for a discounted online price available to anyone. Ask about our educational,
non-profit or government discounts! Proof of eligibility will be required. A discount may not be combined with any
other discount,
If you have questions or prefer to buy on the phone or with
a PO, please contact our Sales dept. at +1 (360) 683-
9888 (Pacific Time - Los Angeles Time).
NetScanTools Pro DEMO is copyrighted software. NetScanTools is a registered trademark of Northwest
Performance Software, Inc_
Start the DEMO Buy Full Version Now at a Discount
CEH Lab Manual Page 237 Ethical Hacking and Countermeasures Copyright © by EC-Cot
6. A DEMO Version pop-up appears; click the Start NetScanTools Pro Demo... button.
NetScantools Pro vi1

“{eDEMO Version
Copyright 20052018 Norhues afomance Satwere, ke. www.netscantools.com
===
‘This sa DEMO. It cannot be unlocked or converted toa ful version
DEMO Version: 30 ial days left
Purchase @ FULL Version ofNetScanTools Pro (Clckto see today's deme discount)
7. The NetScanTools Pro main window appears, as shown in the screenshot.

Note: The version of the NetScanTools Pro might differ when you perform the lab.
Click here
to Buy Now! Welcome To NetScanTools® Pro
Automated Tools
‘Manual Toots (all)
Favonte Tools
Active Discovery Tools
Passive Discovery Toole
ONS Toots
Packet Level Tools
External Toole
‘Application info
Module
03 - Scanning Networks
8. In the left-hand pane, under the Manual Tools (all) section, scroll down and click the
Ping Scanner option, as shown in the screenshot.
9. A dialog box opens explaining the Ping Scanner tool; click OK.
nterwel
—
oobi A few words about this tool.
[About the Ping Scanner (aka NetScanner) Tool

Use this tool to ping a range or ist of 1Pv4 addresses. This tool shows you which computers
are active thn the range/ist (they have to respond to ping). Use f with any set of accessble P
adéresses. To see al devices n your subnet incuding those blocking ping, you can also use ARP Scan
tal.
‘You can import a text lst of IPv4 addresses to ping.
Don’t miss this special feature in this took: Use the Do SMB/INENS Scan to get NetBIOS
responses from unprotected Whdows computers.
Press Show Timing Chart to see a printable chart of ping number vs time.
Don’t forget to right cickin the results for a menu with more options.
[Demo imitations.
l- None,
10. Ensure that Use Default System DNS is selected. Enter the range of IP addresses into
the Start IP and End IP fields (here, 10.10.1.5 - 10.10.1.23); then, click Start.
Note: In this lab task, we are scanning Parrot Machine, Windows Server 2022, Windows
Server 2019, and Android machines.
‘lick hereto Buy Now! ‘Manwal Tels - Ping Scanner/NetScanner

sort [ wanis ® X/ QusedefautsyetemONS
use dd Note
> iese Specc DNs: ‘Serre
snip [i002 [sas T]Xshow Tring chart
For ep, reser
Bs 01.2555
Adeton ScanalTasks:
(D2 Loca ARP lsean
(Ope snessean
Do SubnMacketScan
Enable Pst'Sean
Inport Pest
Clear tnported ist
11. A Ping Scanner notice pop-up appears; click | Accept.

ing Scanner::IMPORTANT NOTICE TO END-USER x
NOTICE: Use of this tool or feature may be construed by your internet access
provider or the owner of the target system as a hostile action or intrusion and may
be in violation of your internet provider's usage agreement or your local laws,
Your activities may be logged by the target system,
EMAIL TESTS: your IP Address might be automatically placed on a real time blacklist.
DISCLAIMER: Northwest Performance Software, Inc, expressly disclaims any and all
responsibility for the use of or improper use of this tool or feature.
USE THIS FEATURE AT YOUR OWN RISK.
(Do not show this message in the future.
12. After the completion of the scan, a scan result appears in the web browser (here,
Google Chrome).
Note: If How do you want to open this file? pop-up appears select Google Chrome from
the list and click on OK.
[Dy Necantoos® Fokason
G_—@ File | Cy/Users/Admin/AppData/Roaming/NWPS/NETSCA~1/HTMLTM~1.HTM
NetScantools Pro v11

7 Re : DEMO v11.11
‘www.netscantools.com
Report created with NetScanTools Pro v11 DEMO.

Py ne
Statistics for Ping Scanner
[Report Timestamp Wednesday, March 23, 2022 07-02-40
[Scan Start Timestamp. [Wednesday, March 23, 2022 07.02.33
Total Scan Time [5641 seconds
Start P address 10.10.15
|End IP address
[Number of target IP addresces
[Number of IP addresses responding 1 pings
[Number of intermediate routers responding fo pings
NCATE AL 6a AT RI OSM
[Number of MAC addresses obtained by ARP or NetBIOS queries
[Number of successful Subnet Mask queries
Gonr@ouwuea &
13. Close the browser and switch to the NetScanTools Pro window.
14. Now, click the Port Scanner option from the left-hand pane under the Manual Tools
(all) section.
Note: If a dialog box appears explaining the Port Scanner tool, click OK.
15. In the Target Hostname or IP Address field, enter the IP address of the target (here,
10.10.1.22). Ensure that TCP Full Connect radio button is selected, and then click the
Scan Range of Ports button.
Uomo. NetScanTooks® Pro Demo Version DTS based
on version T1853
Edit Accessibi
Click hereto Buy Now! Manual Toole - Port Scanner @

Target Hostname or IP Address Port Range and Scan Mode Add Note
[ios0.2.22 ort Range QOT
C?
Ful Connect
u oe Ports Only ump To Automated
(Cluse Target ist When Scanning Stert 4 Ore Fulsune Ports Reports
Otc Sin Scan (Half Open)
For Heb, press Ft bind OTC? custom Scan (Cds to Favorites
3) Network interface 4
Ethernet (10,10, 1.11) - Microsoft Hyper-V Network Adepter 7 60
‘Scan Common Ports
Fit Common Ports ist Dishow Al Scanned PortResuits
at Target ist
Stop
settngs
Defauts
Connect Timeout
20
Read Timeout
x |= OE
NUM
054M
CF eo 2307
16. A Port Scanner notice pop-up appears; click | Accept.
ort Scanner::IMPORTANT
NOTICE TO END-USER x
NOTICE: Use of this tool or feature may be construed by your internet access
provider or the owner of the target system as a hostile action or intrusion and may
be in violation of your internet provider's usage agreement or your local laws.
Your activities may be logged by the target system.
EMAIL TESTS: your IP Address might be automatically placed on a real time blackist.
DISCLAIMER: Northwest Performance Software, Inc, expressly disclaims any and all
responsibility for the use of or improper use of this tool or feature.
USE THIS FEATURE AT YOUR OWN RISK.
(2)Do not show this message in the future.
(CEH Lab Manual Page 241 Ethical Hacking and Countermeasures Copyright © by EC-Council
Module
17.A result appears displaying the active ports and their descriptions, as shown in the
screenshot.
BVO based on version Tees
Welcome Click hereto Buy Now! Manual Tools ~Port Scanner @

Automated Tools
SS Target Hostname
or IP Address Port Range and Scan Mode
Manuel Tools (al) ie OTe Ful comnect =
Ube Ports Only Jaw To Automated
(luce Target List when Scanning set 1 TOP Fulsu0P Pets Reports
end 256 OTE SM scan (al Open) (Cade to Favorites
in
Scan Complete - 256 ports canned Ore custom sen
ecine -
Ethernet (10.10.1.11) -Mirosoft Hyper
Network Adapter
‘Scan Common Ports
Edit Common Ports Uist (show al Scanned Port Rests Show TCP Suna
a ‘TCP Full Connect Response Summary
sep @ ret res
Settings i3} 2: Abe TOP Ports Rebaring Dats ©
Defauits
eer
oe [] @ recor rent 21
ead Treat
5. 10.10.1.22 53 domain ree
- 10.10.1.22 80 etp cP
favcnien Tooke 10.10.1.22 8 kerberos TCE
‘Active Discovery Tools 10,10.1.22 epnap ce Active
ae 10,10.1.22 139 netbios-ssn TCP Port Active
DNS Tooke
Packet Level Tools
External Tools
‘Application Info
18. By performing the above scans, you will be able to obtain a list of active machines in the
network, their respective IP addresses and hostnames, and a list of all the open ports
and services that will allow you to choose a target host in order to enter into its network
and perform malicious activities such as ARP poisoning, sniffing, etc.
target IP address using NetScanTools Pro.
Task 3: Perform Port Scanning using sx Tool
The sx tool is a command-line network scanner that can be used to perform ARP scans, ICMP
scans, TCP SYN scans, UDP scans and application scans such as SOCS5 scan, Docker scan and
Elasticsearch scan.
Here, we will use sx to perform ARP scans, TCP scans and UDP scans to discover open ports in
the target machine.
1. Ensure that the virtual machines (Windows 11, Windows Server 2022, Windows Server
2019, Ubuntu, and Android) are running.
2. Switch to the Parrot Security virtual machine.
Module
3. In the login page, the attacker username will be selected by default. Enter password as
toor in the Password field and press Enter to log in to the machine.
Note: If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and
close it.
Note: If a Question pop-up window appears asking you to update the machine, click No
to close the window.
4. Click the MATE Terminal icon at the top of the Desktop to open a Terminal window.
5. A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
6. Inthe [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
7. In the terminal window, type sx arp [Target subnet] and press Enter (here, the target
subnet is 10.10.1.0/24) to scan all the IP addresses and MAC addresses associated with
the connected devices in a local network).
Note: arp: performs an ARP scan.

Note: The MAC addresses might vary when you perform this task.
8. Type sx arp [Target subnet] --json | tee arp.cache and press Enter to create arp.cache
file (here, the target subnet is 10.10.1.0/24).
Note: --json converts a text file to the JSON format, tee writes the data to stdin.
Note: Before the actual scan, sx explicitly creates an ARP cache file which is a simple text
file containing a JSON string on each line and has the same JSON fields as the ARP scan
JSON output. The protocols such as TCP and UDP read the ARP cache file from stdin and
then begin the scan.
tee arp.cache
vendor"
vendor"
:"8e:99;65:2 1 endor bt
“8:3b:43 ) , "vendor *}
ac: f2;a¢ d:60","vendor":"
32:84:ba:4d:18:47", “vendor"
9. Type cat arp.cache | sx tcp -p 1-65535 [Target IP address] and press Enter to list all the
open tcp ports on the target machine (here, the target IP address is 10.10.1.11).
Note: tcp: performs a TCP scan, -p: specifies the range of ports to be scanned (here, the
range is 1-65535).
tee arp.cache
:41:c4:ad", “vendor
06:ea:27 vende
vendor
vendor
ac:87;8d:60", "vendor"
ba:4d:18:47", "vendc
-p 1-65535 10.10.1.11
10. In the terminal, type sx help and press Enter to obtain the list of commands that can be
used. For more information, you can further use sx --help command.
Perform ARP scan

Perform Docker s
Perform El
Help about any command
m ICMP scan
m SOCKS5
erform TCP an
Pe m UDP scan
help help for sx
d] help" for more information about a
11. Now, let us perform UDP scan on the target machine to check if a port is open or closed.
12. In the terminal, type cat arp.cache | sx udp --json -p [Target Port] 10.10.1.11 and press
Enter (here, target port is 53).
Note: udp: performs a UDP scan, -p specifies the target port.
Note: In a UDP scan sx returns the IP address, ICMP packet type and code set to the
reply packet.
13. The result appears, with the reply packet from the host with Destination Unreachable
type (3) and Port Unreachable code (3), which indicates that the target port is closed.
Note: - According to RFC1122, a host should generate Destination Unreachable

messages with code: 2 (Protocol Unreachable), when the designated transport protocol
is not supported; or 3 (Port Unreachable), when the designated transport protocol (e.g.,
UDP) is unable to demultiplex the datagram but has no protocol mechanism to inform
the sender.
= According to RFC792, network unreachable error is specified with code: 0, Host

unreachable error with code: 1, Protocol unreachable error with code: 2, Port
unreachable error with code 3.
parrot
#cat arp.cache | sx p 53 10.10.1.11
"udp p":"10.10. Sag = 4 Se | icmp":{"type":
rrot t
14. Type cat arp.cache | sx udp --json -p [Target Port] 10.10.1.11 and press Enter (here, the
target port is 500).
15. You can observe that sx does not return any code in the above command, which states
that the target port is open.
16. This concludes the demonstration of port scanning using sx Tool.

17. Close all open windows and document all acquired information.
18. Turn off the virtual machines (Windows Server 2019, Android, and Parrot Security).
Task 4: Explore Various Network Scanning Techniques using Nmap
Nmap comes with various inbuilt scripts that can be employed during a scanning process in an
attempt to find the open ports and services running on the ports. It sends specially crafted
packets to the target host, and then analyzes the responses to accomplish its goal. Nmap
includes many port scanning mechanisms (TCP and UDP), OS detection, version detection, ping
sweeps, etc.
Here, we will use Nmap to discover open ports and services running on the live hosts in the
target network.
1. Ensure that the Windows 11, Ubuntu and Windows Server 2022 virtual machines are
running.
2. Switch r to the Windows 11 virtual machine. In the Windows 11 machine, click Search
icon {2}, on the Desktop. Type zenmap in the search field, the Zenmap appears in
the results, click Open to launch it.
2 zenmap
All Apps Documents Web More
Best match
=nme Run command =

Search the web zenmap
Ran
zenmap- See web texts
O
zenmap download
b
zenmap gui
OG
zenmap for windows 10

OD
zenmap kali
Py
zenmap portable
Oo
zenmap ubuntu
U6
zenmap download windows
3. The Zenmap appears; in the Command field, type the command nmap -sT -v [Target IP
Address] (here, the target IP address is 10.10.1.22) and click Scan.
Note: -sT: performs the TCP connect/full open scan and -v: enables the verbose output
(include all hosts and ports in the output).
Note: The MAC addresses might differ when you perform the task.
a
Scan Tools Profile Help
10.10:4.22
[nmap -sT-v 10.10.12
Hosts Services Nmap Output Ports /Hosts Topology Host Oetaile Scans
Module
4. The scan results appear, displaying all the open TCP ports and services running on the
target machine, as shown in the screenshot.
Note: TCP connect scan completes a three-way handshake with the target machine. In
the TCP three-way handshake, the client sends a SYN packet, which the recipient
acknowledges with the SYN+ACK packet. In turn, the client acknowledges the SYN+ACK
packet with an ACK packet to complete the connection. Once the handshake is
completed, the client sends an RST packet to end the connection.
Nmap Output Ports/ Hosts Topology Host Oetis Scant

famap sT-v 10.10.22
@ ro10122 65/tCD on 1 22
ep on 40.40-4-32
308 done; ETC: 12:15 (@:00:39 remaining)
20-30.1.22
S3/tep
sorte
Se/tep
a3s/tep
a9/tee
aasees
‘sseearten
sr
Sertteerp
isex/tep open
2103 open
2195/t/tcDep open
2107/tep open
3268 open
3269/t/tepcD open
3389 open
RAC /tAdepsress: (€3:94188:40 (Unknonn)
Read data files from: C:\Program Fizes (x86)\Neap
‘usp done: Raw 1 IP eddress (1 host up) scanned in 67.21 seconds
packets sent 1 (286) | Reva: 1 (288)
5. Click the Ports/Hosts tab to gather more information on the scan results. Nmap displays
the Port, Protocol, State, Service, and Version of the scan.
Nmap Output Ports/ Hosts Topology Host Details Scans

7 Fort 4 Protocol * State © Serace
® 1012 53 tcp open dome
tcp open hp
8 te erberos sec
135 up smerpe
30 tp netbior-sin
ey ldap
4S tcp ricroscft-ds
tp
se tsp
6
smer-mget
slobaicaDAP
lobaleatDAPss!
menbtsevee
Module
6. Click the Topology tab to view the topology of the target network that contains the
provided IP address and click the Fisheye option to view the topology clearly.
Nmap Output Ports /Hosts Topology Host Oetai Scans

Hosts Viewer Fisheye Controls Legend Seve Graphic
w10122
Fisheye
on ring 100 > with interestfactor 200 3] andsspreadfactor 050 =
7. Inthe same way, click the Host Details tab to view the details of the TCP connect scan.
Nmap Output Ports/ Hosts Topology Host Details Scans
|
corm @
cores
ie
ry
=
a
Pv Not.
MAC: 70893948840
= Comments
8. Click the Scans tab to view the command used to perform TCP connect/full open scan.
9. Click the Services tab located in the left pane of the window. This tab displays a list of
services.
Temes nr
Frarget: | 10.10.122 Profile Sean
{Commands | nmap -£T-v 10.10
Hosts [Services| Nmap Output Ports /Hosts Topology Host Details Scans
Service Status Command
domain Unsaved nmap -sT -v 10.10.1.22
ehlogin
oan
globeleatLOAPsst
tp
Ittp-mpe-epmap
kerberos-see
passwd
a
ds
me-wbt-server
msmq,
msma-mgmt
marpe
Friter Hosts
SP Aependscan | me Removescan |
moun OseeCase: A 29 Som @

Note: You can use any of these services and their open ports to enter into the target
network/host and establish a connection.
10. In this sub-task, we shall be performing a stealth scan/TCP half-open scan, Xmas scan,
TCP Maimon scan, and ACK flag probe scan on a firewall-enabled machine (i.e.,
Windows Server 2022) in order to observe the result. To do this, we need to enable
Windows Firewall in the Windows Server 2022 machine.
11. Switch to the Windows Server 2022 virtual machine.
12. Click Ctrl+Alt+Del to activate the machine. By default, CEH\Administrator user profile is
selected, type Pa$$woOrd in the Password field and press Enter to login.
CEH\Administrator
Fesseceed |
CEH\Administrator
Other user
13. Navigate to Control Panel > System and Security > Windows Defender Firewall >
Turn Windows Defender Firewall on or off, enable Windows Firewall and click OK, as
shown in the screenshot.
Prcikemaesainge ee eee |
« 4 MP > Control Panel > System
and Security > Windows Defender Firewall» Customize Settings
Customize settings for each typeof network

You can mosity the Fi settings for each type of network that you use,
nain network settings
1m on Windows Defender Firewal
sc al incoming connections including those inthe it of
Notify me when Windows Defender Firewall blocks # new app
Oem tindnes Detender Frew (not recommended
lowrs Defender Fireva

onnections, including those in the list of allowed apps
[Notify me when 1 Defender Firewall blocks 2 new app
©] OTum ett windows Defender Firewall (not ecommendes
Public network seth
g ow Windows Defender Frenal
lock allincoming connections, including those in the listof allowed app=
Notify me when Windows Defender Firewall blocks
a new opp
em ofwinds Defender Frew not recommended
L Cencel ]
Module
14. Now, switch to the Windows 11 virtual machine. In the Command field of Zenmap, type
the command nmap -sS -v [Target IP Address] (here, the target IP address is 10.10.1.22)
and click Scan.
Note: -sS: performs the stealth scan/TCP half-open scan and -v: enables the verbose
output (include all hosts and ports in the output).
15. The scan results appear, displaying all open TCP ports and services running on the target
machine, as shown in the screenshot.
Note: The stealth scan involves resetting the TCP connection between the client and
server abruptly before completion of three-way handshake signals, and hence leaving
the connection half-open. This scanning technique can be used to bypass firewall rules,
logging mechanisms, and hide under network traffic.
Zenmap
10.10.1.22
nmap -s5 -v 10. 10,1.22
Nmap Output Ports/Hosts Topology Host Details Scans
imap -55 -v 10.10.1.22
Discovered open port 593/tcp on 10.10.1.22
eklogin Discovered open port 21@5/tep on 10.10.1.22
Discovered open port 3268/tcp on 16.10.1.22
globslestLDAP Discovered open port 18@1/tcp on 10.10.1.22
globslcatL DAP ss! Discovered open port 21@3/tep on 10.10.1.22
Discovered open port 88/tcp on 10.10.
http Discovered open port 464/tcp on 10.1.2.
Discovered open port 21@7/tcp on 10.18.1.22
hitp-rpc-epmap Discovered open port 389/tcp on 10.10.1.22
kerberos-sec Discovered open port 636/tep on 10.10.1.22
Completed SYN Stealth Scan at 12:35, 4.75s elapsed (100@ totel ports)
kpasswdS Nmap scan report for 10.10.1.22
Host is up (@.0813s latency).
Idap Not shown: 983 filtered tcp ports (no-response)
Idapssl PORT STATE SERVICE
S3/tep domain
microsoft-ds sertcp nttp
PEEELLECS!
88/tcp kerberos-sec
ms-wht- server 135/tep msroc
msmq 139/tep netbios-ssn
389/tep ldap
msmg-mgmt 4a5/tep microsoft-ds
se4/tep kpasswdS
marpe 593/tep http-rpc-epmap
netbios-ssn 636/tcp Idapssl
1881/tcp open msnq
zephyr-cit 2103/tcp open rephyr-clt
215/tcp open eklogin
2187/tcp open msnq-mgmt
3268/tcp open ElobalcatLDAP
3269/tcp open globalcatLDAPssi
3389/tcp open ms-wot-server
MAC Address: 70:59:C3:94:88:48 (Unknown)
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 4.93 seconds
Raw packets sent: 1984 (87.280KB) | Rcvd: 18 (7768)
Filter Hosts
16. As shown in the last task, you can gather detailed information from the scan result in
the Ports/Hosts, Topology, Host Details, and Scan tab.
17. In the Command field of Zenmap, type the command nmap -sX -v [Target IP Address]
(here, the target IP address is 10.10.1.22) and click Scan.
Note: -sX: performs the Xmas scan and -v: enables the verbose output (include all hosts
and ports in the output).
18. The scan results appear, displaying that the ports are either open or filtered on the
target machine, which means a firewall has been configured on the target machine.
Note: Xmas scan sends a TCP frame to a target system with FIN, URG, and PUSH flags
set. If the target has opened the port, then you will receive no response from the target
system. If the target has closed the port, then you will receive a target system reply with
an RST.
Zenmep
Scan Iools Profile Help
farget: | 10.10,3.22 Profite:
fommand: | nmap -sX -v 10.10.1.22
fl Hosts | Services / Hosts Topology

Nmap Output Ports Host Details Scans
S « Host = nmap -sX -v 10.10.1.22
10.10.1.22 Starting Nmap 7.92 ( httos://nmap.org ) at 2022-06-06 12:36 Pacific Daylignt Tine
Initiating ARP Ping Scan at 12:36
Scanning 10.10.1.22 [1 port}
Completed ARP Ping Scan at 12:36, @.04s elapsed (1 total hosts)
Initiating Parallel ONS at 12:
Completed Parallel ONS . at 12:36, @.025 elapsed
Initiating XMAS Scan at 12
Scanning 19.10.1.22 [1088 ports]
Completed X¥AS Scan et 12:37, 22.915 elapsed (1000 total ports)
fwmap scan report for 10.10.1.22
Host is up (0.081
All 10@@ scanne 10.1.22 are in ignored states.
Not_shoun: 1008 tep ports (no-response)
MAC Address: 70 (Unknown)
Nmap done: 1 IP address (1 host up) scannec in 23.18 seconds
Raw packets sent: 2001 (80.628KB) | Revd: 2 (808)
CEH Lab Manual Page 253. Ethical Hacking and Countermeasures Copyright © by EC-Council
Module
19. In the Command field, type the command nmap -sM -v [Target IP Address] (here, the
target IP address is 10.10.1.22) and click Scan.
Note: -sM: performs the TCP Maimon scan and -v: enables the verbose output (include
all hosts and ports in the output).
20. The scan results appear, displaying either the ports are open/filtered on the target
machine, which means a firewall has been configured on the target machine.
Note: In the TCP Maimon scan, a FIN/ACK probe is sent to the target; if there is no
response, then the port is Open|Filtered, but if the RST packet is sent as a response,
then the port is closed.
F Zenmap
Target: | 10.10.1.22 Profile:
Command: | nmap -sM -v 10.10,1.22
Hosts Services Nmap Output Ports /Hosts Topology Hest Details Scans
10S « Host = nmap -sM -v 10.10.1.22
10.1012 Starting Nmap 7.92 ( nttos://nmap.org ) at 2022-06-06 12:39 Pacific Daylignt Tine
Scanning 10.10.1.22 [1 port)
Conpleted ARP Ping Scan at 12:39, @.04s elapsed (1 total hosts)
Llel ONS resolution of 1 host. at 12:39
lel DNS re: ion of 1 host. at 12:39, @.0@2s elapsed
Initiating Maimon Scan at
Scanning [email protected] [10@@ ports)
Conpleted Heimon Scan at 12:39, 22.915 elapsed (1090 totel ports)
n report or 10.10.1.22
Host is up (@.0810s latency
A1L 1000 scanne: 1.22 are in ignored states.
p ports (no-response)
Unknown)
Read data files from: C:\Program Files (x86)\"nop
Nwap_done; 1 IP address (1 host up) scanned in 23.18 seconds
Raw packets sent: 2001 (80.628K8) | Revd: 1 (288)
Module
21. In the Command field, type the command nmap -sA -v [Target IP Address] (here, the
Note: -sA: performs the ACK flag probe scan and -v: enables the verbose output (include
all hosts and ports in the output).
22. The scan results appear, displaying that the ports are filtered on the target machine, as
Note: The ACK flag probe scan sends an ACK probe packet with a random sequence
number; no response implies that the port is filtered (stateful firewall is present), and an
RST response means that the port is not filtered.
TTEraS
jarget: | 10.10.1.22
ommand: | nmap -s& «v 10.10.1.22
Hosts Services Nmap Output Ports / Hosts Topology Host Details Scans
nmap si -v 10.10.1.22
@ 10.10.12 Starting Nmap 7.92 ( https://neap.org ) at 2022-06-06 12:40 Pacific Daylight Tine
Scanning 10.10.1.22 [1 port}
Conpleted ARP Ping Scan at 12:40, @.03s elapsed (1 total hosts)
Initiating Parallel ONS resol of 1 host. at 12:40
Completed Parallel ONS resolution of 1 host. at 12:48, @.02s elapsed
Initiating ACK Scan ot 12:40
Scanning 10.10.1.22 [1028 ports]
Completed ACK Scan st 12:41, 22.9@s elepsed (1000 total ports)
Nmap scan report for 10.10.1.22
Host is up (8.085 latency)
All 1008 scanne on 10.10.1.22 are in ignored states.
Not shown: 1000 p ports (no-response)
Address:
MAC 70: :4@ (Unknown)
Rend
files
data from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 23.@7 seconds
Raw packets sent: 2601 (89.628K8) | Revd: 4 (2848)
23. Switch to the Windows Server 2022 virtual machine.

24. If you are logged out of the Windows Server 2022 virtual machine, then click
Ctrl+Alt+Del to activate the machine. By default, CEH\Administrator user profile is
selected, type Pa$$wOrd in the Password field and press Enter to login.
25. Turn off the Windows Defender Firewall from Control Panel.
pinto baede ren ——— ey
© > © 4 MP > Control Panel > System
and Security » Windows Defender Firewall
Ble &
Help protect your PC with Windows Defender Firewall
Windows Defender Firewal can help prevent hackersor malicious software from gaining
access to your PC
through the Internet ora network
(Dice recommended settings
St re B® comain networks Not connected

BG Private networks Wiad
| | @ Guest or public networks ‘Connecaa:
"Networks in public places such as airports or coffee shops
Windows Defender Firewall state
Incoming connections
26. Now, switch back to the Windows 11 virtual machine. In the Command field of Zenmap,
type the command nmap -sU -v [Target IP Address] (here, the target IP address is
10.10.1.22) and click Scan.
Note: -sU: performs the UDP scan and -v: enables the verbose output (include all
hosts and ports in the output).
27. The scan results appear, displaying all open UDP ports and services running on the
target machine, as shown in the screenshot.
Note: This scan will take approximately 20 minutes to finish the scanning process and
the results might differ in your lab environment.
Note: The UDP scan uses UDP protocol instead of the TCP. There is no three-way
handshake for the UDP scan. It sends UDP packets to the target host; no response
means that the port is open. If the port is closed, an ICMP port unreachable message is
received.
Zenmap
farget: | 10.10.1.22
fommand: | nmap »sU +v 10.10.1.22
Hosts Services__-Nmap Output Ports /Hosts Topology Host Details Scans
nmap -sU -v 10,101.22
aaeee UP Scan Liming: Ab: out 98.67% doni Etc: 13:03 (0:01:50 remaining)
Discovered open port 389/udp on 10.10.1.22
OP Scan Timing: About 95.97% done; ETC: 13:03 (0:08:48 remaining)
Conpieted UDP Scan at 13:64, 1197.32s elapsed (1008 total ports)
Wimap scan report for 10.10.1.22
Host is up (@.eee71s latency).
Not shown: 976 closed udp ports (port-unreach)
PORT STATE SERVICE
53/udp open domain
88/udp open|#iltered kerberos-sec
123/udp open, ntp
137/udp ‘open netoios-ns
138/udp open| Filtered netbios-dgn
161/uap ‘open snmp
389/udp open dap
464/usp open| Filtered kpasswd
5ee/udp open| Filtered isakmp
3389/udp open| filtered s-uot-server
4500/u0p open|Fiiterea nat-t-ike
5353/udp open| filtered zerocont
5355/uap open| Filtered Alene
56141/udp open| Filtered unknown
57172/uap open| filtered unknown
57410/uap open| filtered unknown
57843/udp open| filtered unknown
57958/uap open|#iitered unknown
57877/udp open|#iltered unknown
58002/uap open|#iitered unknown
58075/udp open| filtered unknown
58178/uap open| Filtered unknown
NAC Address: B9:C3:98:B8:48 (Unknown)
Naap done: 1 IP address (1 host up) scenned in 1197.52 seconds
Raw packets sent: 129@ (65.131K) | Revd: 10@7 (73.91eKB)
Filter Hosts u
28. Close the Zenmap window.

29. You can create your scan profile, or you can also choose the default scan profiles
available in Nmap to scan a network.
30. Click Search icon [P} on the Desktop. Type zenmap in the search field, the Nmap -
Zenmap GUI appears in the results, click Open to launch it.
31. To choose the default scan profiles available in Nmap, click on the drop-down icon in the
Profile field and select the scanning technique you want to use.
Intense scan
Intense scan
Intense scan plus UDP
Nmap Output Ports/ Hosts Topology Host Detail Scans Intense scan, al TCP ports
Intense scan, no ping
Ping scan
Quick sean
Quick scan plus
Quick traceroute
Regular scan
Slow comprehensive scan
CEH Lab Manual Page 257 Ethical Hacking and Countermeasures Copyright © by EC-Cot
Module
32. To create a scan profile; click Profile > New Profile or Command.

Zeimap
Scan Jools GED Help
Target: Profile: Intense scan
Edit Selected Profile q
‘Command:
Hosts Services Nmap Output Ports /Hosts Topology Host Details Scans
OS ¢ Host -
33. The Profile Editor window appears. In the Profile tab, under the Profile Information
section, input a profile name (here, Null Scan) into the Profile name field.
Profle Help
Profile: Intense scan
Command: | nmap -T4-A-v
Hosts Services Nmap Output Ports /Hests Topology Host Detar Scans
© Profile Editor
nmap -T4-Awv
Profile Scan Ping Scripting Target Source Othe: Timing Lead
Description
Profite information
“The descriptions» full description
Profite name | RIE cf what the scan does, which may
Description ben .
conc] { Seve Changes
Fiter Hosts
34. Now, click the Scan tab and select the scan option (here, Null scan (-sN)) from the TCP
scan drop-down list.
35. Select None in the Non-TCP scans drop-down list and Aggressive (-T4) in the Timing
template list. Ensure that the Enable all advanced/aggressive options (-A) checkbox is
selected and click Save Changes, as shown in the screenshot.
Note: Using this configuration, you are setting Nmap to perform a null scan with the
time template as -T4 and all aggressive options enabled.
36. This will create a new profile, and will thus be added to the profile list.
[2 Bone editor - oO x
nmap «SN -T4 “Av Scan
Profile Scan Ping Scripting Target Source Othe: Timing Help

Version ys detection
Scan options
Attemptto discover the version
Targets (optional): number of services running on
TCP scan: Null scan (-sN) remote ports
Non-TCP scans: None
Timing template Aggressive (-T4)
@ Enable all advanced/aggressive options (-A)
Operating system detection (-O)
CO) Version detection (-sV
] Idle Sean (Zombie) (-s!)
FIP bounce attack (-b)
Disable reverse DNS resolution (-n!
IPV6 support (-6)
Cancel | fejSavec nges}
37. In this sub-task, we will be targeting the Ubuntu machine (10.10.1.9).

38. In the main window of Zenmap, enter the target IP address (here, 10.10.1.9) in the
Target field to scan. Select the Null Scan profile, which you created from the Profile
drop-down list, and then click Scan.
Prien ses
Scan Tools Profle Help
Parsee [sasa9 Prete: | Na Scan san
ICommand: [nmap -N-T4 “Av 10.10.19
Hosts Services Nmap Output Ports /Hests Topology Host Detar Scans
10S « Host + a
39.N map scans the target and displays results in the Nmap Output tab, as shown in the
screenshot.
Zenmes
Target: 10.10.1.9 Profile: Null Scan
ICommand: | nmap -sN -T4 °A -v 10.10.1.9
Services Nmap Output Ports /Hosts Topology Host Details Scans
nmap -sN-TA -A -v 10.10.19
» — NNot_shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tep open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey
| 256 28:52:84:53:60:ec 2:¢€:80:ba:dd:35:74:05:55 (ECDSA)
|_ 256 9a:2e:e8: 21:07:94: 7¢125:95:¢9:6a:b6:5e:fe:e4:51 (£D25519)
S8/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_ntto-title: Apache2 Ubuntu Default Page: It works
| http-methods
|_. Supported Methods: OPTIONS HEAD GET POST
|"http-server-header: Apeche/2.4.52 (Ubuntu)
Address: 38:14:F4:02:1C:03 (Unknown)
MAC
Device type: general purpose
Running: Linux 4.X/5
OS CPE: cpe:/o:1inux:1inux_kernel:4 cpe:/o:Linux:1inux_kernel:5
OSdetails: Linux 4.15 - 5.6
Uptime guess: 23.095 days (since Sat May 14 11:06:22 2@22)
Network Distance: 1 hop
ICP Sequence Prediction: culty=26@ (Good luck!)
‘IP _ID Sequence Generation zeros
Service Info: OS: Linux; CPE: cpei/o:linux:1linux_kerne
TRACEROUTE
HOP RTT ADDRESS
1 0.65 ms 10.10.19
NSE: Script Post-scanning
Initiating NSE at 13:23
Initiating NSE at 13:23

Completed NSE at 13:23, @.005 elapsed
OS and Service detection performed. Please report any incorrect results at https://neap.org/submit/ .
Naap done: 1 IP address (1 host up) scanned in 9.98 seconds
Raw packets sent: 1025 (41.886x8) | Rcvo: 1013 (41.198KB)
Filter Hosts
40. Apart from the aforementioned port scanning and service discovery techniques, you can
al so use the following scanning techniques to perform a port and service discovery on a
target network using Nmap.
= IDLE/IPID Header Scan: A TCP port scan method that can be used to send a spoofed
source address to a computer to discover what services are available.
nmap -sl -v [target IP address]
= SCTP INIT Scan: An INIT chunk is sent to the target host; an INIT+ACK chunk
response implies that the port is open, and an ABORT Chunk response means that
the port is closed.
nmap -sY -v [target IP address]
= SCTP COOKIE ECHO Scan: A COOKIE ECHO chunk is sent to the target host; no
response implies that the port is open and ABORT Chunk response means that the
port is closed.
nmap -sZ -v [target IP address]
41. In the Command field, type the command nmap -sV [Target IP Address] (here, the
Note: -sV: detects service versions.
42. The scan results appear, displaying that open ports and the version of services running
on the ports, as shown in the screenshot.
Note: Service version detection helps you to obtain information about the running
services and their versions on a target system. Obtaining an accurate service version
number allows you to determine which exploits the target system is vulnerable to.
Teme
Target: | 10.10.122 Profile
fommand:_ | nmap -s¥ 10.10.1.22
Hosts Services Nmap Output Ports /Hosts Topology Host Details Scans
= [nmap -s¥ 10.10.12
101019 nap 7.92 ( nttes://nmap.org ) at 2022-06-06 13:25 Pacific Daylight Tire
® 1010122 report for 10.10.1.22
is up (0.000485 latency).
Not shown: 983 closed tep ports (reset)
PORT STATE SERVICE VERSION
53/tep open donain Simple ONS Pius
Bortcp open tty Microsoft IIS httpd 10.0
S8/tcp open Kerberos-sec Microsoft Windous Kerberos (server time: 2022-06-06 20:25:127)
135/tep open _msrpc Microsoft Windows RPC
139/tcp open netblos-ssn Microsoft Kindows netbios-ssn
389/tep open Idap Microsoft Windows Active Directory LOAP (Donsin: CEM.con®., Site: Default-First-Site-Nane)
4as/tep open microsoft-ds Microsoft Wingous Server 2008 R2 - 2012 wicrosoft-as (workEroup: CEH)
464/tep open kpassudS?
593/tep open ncacn_nttp —icrosoft Windows RPC over HITP 1.0
636/tep open tepurapped
1801/tcp open wsnq?
2103/tep open msrp Microsoft Windows RPC
2405/tep open msrpc Microsoft Windows RPC
2107/tcp open asroc Microsoft Mindows RPC
326R/tcp open Ida. Microsoft Windows Active Directory LOAP (Domain: CEH.con®., Site: Default-First-Site-Neme)
3269/tcp open tcpurappes
3389/tep open s-ubt-server Microsoft Terminal Services
RAC Address: 70:69:C3:94:88:4@ (Unknown)
Service Info: Host: SERVER2022; OS: Windows; CPE: cpe:/o:microsoft:uindous
s detection perforned. Pi port any inc results at nttps://nmap.org/subait/
Nmap done: 1 IP address (1 host up) scennes in 54.39 seconds
Filter Hosts
43. In the Command field, type the command nmap -A [Target Subnet] (here, target subnet
is 10.10.1.* ) and click Scan. By providing the “*” (asterisk) wildcard, you can scan a
whole subnet or IP range.
Note: -A: enables aggressive scan. The aggressive scan option supports OS detection (-
O), version scanning (-sV), script scanning (-sC), and traceroute (--traceroute). You
should not use -A against target networks without permission.
44. Nmap scans the entire network and displays information for all the hosts that were
scanned, along with the open ports and services, device type, details of OS, etc. as
to1014
roars |LMiot valid after: 2622-11-16T16:05:06
Device tyne: general purpose
ro10.1.11 Running: Nicrosoft Hindons 16
5 CPE: coe: /ornicrosoft :windows_10:1607
Lider QS-detalis: Microsoft Windows 10 1607
yo.0.4.8 Network Distance: ® hops
vnwmoviescope. Service Info: Host: NINDOWSI1; OS: Windows; CPE: cpe:/ormicrosoft :windows
yot0.1.22 Host
4 scriot resutts:
i 6-06120:31:08
te: WA
LL|"smb-secaedty-mode:
| account_uses: guest
| authenticationlevel: user
| challenge response: supportea
|. message_signing: disables (dangerous, but default)
["smoz-security-noge:
[sat
|_ “Message sfening enables but not requires
|"seb-os-discovery:
| “05: windows 10 Enterprise 22006 (iiindons 10 Enterprise 6.3)
| 05 CPE: cpe:/o:mlcrosort:atndows_1::~
| Computer name: Hindowsi1
| Mevez0S computer name! WINDOWS12\xe0
| Workgroup: WORKGROUP\x08
|_ _ system time: 222-05-€6715:31:67-07:08
[Tetock-sken: mean: 1h2000s, deviation: 3M@7ASIs, median: Os
Post-scan script results
| clock: skew:
tmap_done: 258 IP accresses (7 hosts up) scanned in 181.09 seconds
45. Choose an IP address 10.10.1.22 from the list of hosts in the left-pane and click the Host
Details tab. This tab displays information such as Host Status, Addresses, Operating
System, Ports used, OS Classes, etc. associated with the selected host.
mae
faget: | 10.10."
Zommand:_ | nmap -A 10.101."
Hosts _Serices___Nemap Output Ports
/ Hosts Topology Host Details Scans
10S « Host BE woro1z
roo. Tees
State ”
rar019
eet me 4A
ar03.13 Fikered pore: 0
isi Closed ports: 983
wewwemoviescope.c
Scanned
mee
ports: 1000
os r)
Lastboct: Mon jun 6 11:54 2022
© Addresses
Pvt: 10.10.22
IPvé Not avaiable
MAC. 7oEAC9ABB40
= Operating System
Nome: Microsoft Windows 10 1703,
os |
= Ports used
Por-Protocol State: $3-tep- open
Por-Protocol-State: 1-tep- closed
Por-ProtocolState: 30006 udp - closed
= 05 Classes
Type Vendor OS Femily OS Generation Accuracy
Sop Meso =
© TOP Sequence
2 WIN Camanre
CEH Lab Manual Page 262 Ethical Hacking and Countermeasures Copyright © by E6-COl
46. This concludes the demonstration of discovering target open ports, services, services
versions, device type, OS details, etc. of the active hosts in the target network using
various scanning techniques of Nmap.
48. Turn off the Windows 11 and Ubuntu virtual machines.
Task 5: Explore Various Network Scanning Techniques using

Hping3
Hping2/Hping3 is a command-line-oriented network scanning and packet crafting tool for the
TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP
protocols. Using Hping, you can study the behavior of an idle host and gain information about
the target such as the services that the host offers, the ports supporting the services, and the
OS of the target.
Here, we will use Hping3 to discover open ports and services running on the live hosts in the
target network.
Note: Ensure that the Windows Server 2022 virtual machine is running.
1. Turn on the Parrot Security virtual machine.
2. In the login page, the attacker username will be selected by default. Enter password as
toor in the Password field and press Enter to log in to the machine.
Note: If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and
close it.
Note: If a Question pop-up window appears asking you to update the machine, click No
to close the window.
3. Click the MATE Terminal icon at the top of the Desktop to open a Terminal window.
4. A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
5. Inthe [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
6. Now, type cd and press Enter to jump to the root directory.
7. A Parrot Terminal window appears. In the terminal window, type hping3 -A [Target IP
Address] -p 80 -c 5 (here, the target machine is Windows Server 2022 [10.10.1.22]) and
press Enter.
Note: In this command, -A specifies setting the ACK flag, -p specifies the port to be
scanned (here, 80), and -c specifies the packet count (here, 5).
In a result, the number of packets sent and received is equal, indicating that the
respective port is open, as shown in the screenshot.
Note: The ACK scan sends an ACK probe packet to the target host; no response means
that the port is filtered. If an RST response returns, this means that the port is closed.
rea
NG 10.10.1
packet lc
9. In the terminal window, type hping3 -8 0-100 -S [Target IP Address] -V (here, the target
machine is Windows Server 2022 [10.10.1.22]) and press Enter.
Note: In this command, -8 specifies a scan mode, -p specifies the range of ports to be
scanned (here, 0-100), and -V specifies the verbose mode.
10. The result appears, displaying the open ports along with the name of service running on
each open port, as shown in the screenshot.
Note: The SYN scan principally deals with three of the flags: SYN, ACK, and RST. You can
use these three flags for gathering illegal information from servers during the
enumeration process.
All Rights Reserved. Reproduction is Strictly Prohibited
ing et MTU 1
anning 10,10.1 port 0-100
a1 pi see all the replies
serv d | win en |
+
tepmux
2 nbp
card
systat
aytime
netstat
7 qotd
hargen
ftp-data R.A
1 ftp R.A
80-100-S101
11. In the term inal window, type hping3 -F -P -U [Target IP Address] -p 80 -c 5 (here, the
target machine is Windows Server 2022 [10.10.1.22]) and press Enter.
Note: In thi is Command, -F specifies setting the FIN flag, -P specifies setting the PUSH
flag, -U spe cifies setting the URG flag, -c specifies the packet count (here, 5), and -p
specifies the port to be scanned (here, 80).
12. The results demonstrate that the number of packets sent and received is equal, thereby
indicating that the respective port is open, as shown in the screenshot.
Note: FIN, PUSH, and URG scan the port on the target IP address. If a port is open on the
target, you will receive a response. If the port is closed, Hping will return an RST
response.
hping3 F
HPING 10.10.1
en=40 ip ) rtt
en=40 port=80 win=@ rtt
en=40 rt=80 f win=0 rtt
en=40 yort=80 win=@ rtt=3
en=40 ttl=128 DF id=61159 rt=80 ) rtt
10.1 1 ati sti

5 packets tre d 50
5 pa kets r
sund-trig avg/max = 3.1/3 4
All Rights Reserved. Reproduction is Strictly Prohibited
13. In the terminal window, type hping3 --scan 0-100 -S [Target IP Address] (here, the
target machine is Windows Server 2022 [10.10.1.22]) and press Enter.
Note: In this command, --scan specifies the port range to scan, 0-100 specifies the range
of ports to be scanned, and -S specifies setting the SYN flag.
14. The result appears displaying the open ports and names of the services running on the
target IP address, as shown in the screenshot.
Note: In the TCP stealth scan, the TCP packets are sent to the target host; if a SYN+ACK
response is received, it indicates that the ports are open.
53 domair
80 http
88 kerberc
plie
15. In the terminal window, type hping3 -1 [Target IP Address] -p 80 -c 5 to perform ICMP
scan (here, the target machine is Windows Server 2022 [10.10.1.22]) and press Enter
Note: In this command, -1 specifies ICMP ping scan, -c specifies the packet count (here,
5), and -p specifies the port to be scanned (here, 80).
16. The results demonstrate that hping has sent ICMP echo requests to 10.10.1.22 and
received ICMP replies which determines that the host is up.
icmp mo set, headers + @ data bytes

448 icmp se 81
441 icmp
61442 icmp
61443 icmp
9.16.1.22
) packets transmitted, ac ed, 0% packet loss
ound-trip min/avg/max 3 6
@parrot
|
17. Apart from the aforementioned port scanning and service discovery techniques, you can
also use the following scanning techniques to perform a port and service discovery on a
target network using Hping3.
= Entire subnet scan for live host: hping3 -1 [Target Subnet] --rand-dest -I ethO
= UDP scan: hping3 -2 [Target IP Address] -p 80 -c 5
live hosts in the target network using Hping3.
20. Turn off the Parrot Security and Windows Server 2022 virtual machines.
Lab Analysis
Analyze and document the results of this lab exercise.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
Internet Connection Required
Oves
Platform Supported
Classroom

Lab 2 - Port and Service Discovery

Uploaded by

Copyright:

Available Formats

Lab 2 - Port and Service Discovery

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab 2 - Port and Service Discovery

Uploaded by

Copyright:

Available Formats

Module 03 - Scanning Networks

Perform Port and Service Discovery

Overview of Port and Service Discovery

© Open TCP scanning methods (TCP connect/full open scan)

o SCTP COOKIE/ECHO Scanning

Note: If a User Account Control pop-up appears, click Yes.

‘DE CEHVI2 Module08 Scanning Networks » Scanning Tools » MegePing

item Litem selected. 4.34. MB

6. The About MegaPing window appears; click the | Agree button.

MegaPing 4.9 Copyright® Magneto Software 2022

THANK YOU FOR TRYING MEGAPING

stéfed version does not display this noti

View Tec Help =

File View Too Hep ee

Task 2: Perform Port and Service Discovery using NetScanTools Pro

< ‘> TE Scanning Tools » NetScanToolePro 7 earch NetScanTe

© Onedive= Paso a 8 (ck Next to continue, o Cancel o ext Sein.

> = New Volume

BS « Scanning Tools > NetScantoolsPro are) Search NetScanTools Pro

Start the DEMO Buy Full Version Now at a Discount

NetScantools Pro vi1

7. The NetScanTools Pro main window appears, as shown in the screenshot.

[About the Ping Scanner (aka NetScanner) Tool

‘lick hereto Buy Now! ‘Manwal Tels - Ping Scanner/NetScanner

11. A Ping Scanner notice pop-up appears; click | Accept.

USE THIS FEATURE AT YOUR OWN RISK.

(Do not show this message in the future.

NetScantools Pro v11

Report created with NetScanTools Pro v11 DEMO.

Click hereto Buy Now! Manual Toole - Port Scanner @

USE THIS FEATURE AT YOUR OWN RISK.

(2)Do not show this message in the future.

Welcome Click hereto Buy Now! Manual Tools ~Port Scanner @

Task 3: Perform Port Scanning using sx Tool

2. Switch to the Parrot Security virtual machine.

Note: arp: performs an ARP scan.

Perform ARP scan

help help for sx

d] help" for more information about a

Note: - According to RFC1122, a host should generate Destination Unreachable

= According to RFC792, network unreachable error is specified with code: 0, Host

16. This concludes the demonstration of port scanning using sx Tool.

Task 4: Explore Various Network Scanning Techniques using Nmap

All Apps Documents Web More

=nme Run command =

zenmap for windows 10

zenmap download windows

Nmap Output Ports/ Hosts Topology Host Oetis Scant

Nmap Output Ports/ Hosts Topology Host Details Scans

Nmap Output Ports /Hosts Topology Host Oetai Scans

Nmap Output Ports/ Hosts Topology Host Details Scans

moun OseeCase: A 29 Som @

Customize settings for each typeof network

lowrs Defender Fireva

fl Hosts | Services / Hosts Topology

23. Switch to the Windows Server 2022 virtual machine.

(Dice recommended settings

St re B® comain networks Not connected

28. Close the Zenmap window.

Note: If a User Account Control pop-up appears, click Yes.