Lab 6: Vulnerability Assessment (Part 1)

Objectives In this practical you will utilize different tools to perform network
scanning and port scanning as part of vulnerability assessment.

CLO: 4
Duration: 60min+

Requirements  Lab PC
 Kali Linux
 Metasploitable VM
 Windows XP VM

Tasks  Task 1: Networking Scanning –PING Tools

 Task 2: Port Scanning –NMAP

Vulnerability Vulnerability assessment involves discovering weaknesses in the

Assessment target system. This includes three main tasks:
1) Network Scanning which involves discovering active hosts
on a network,
2) Port Scanning (for each discovered host), which
involves identifying open ports and running services,
and
3) Vulnerability Scanning aimed at identifying vulnerabilities in
the system; tools such as MBSA and Nessus automate
vulnerability scanning.
Student Notes

1 | Intrusion Detection | Lab Instructor Manual | Dr. Samer Aoudi | Updated

October 2018
Type of Scanning
1. Network Scanning
– Discover active hosts on a network and produce a network map
– Also called: network sweeping and network tracing
2. Port Scanning
– For each discovered host, identify open ports (i.e. running services)
– Additionally, we can identify the version of each running service
(version scanning)
3. Vulnerability scanning
– Identify vulnerabilities using automated tools (MBSA and Nessus)

Port Scanning
Port Scanning:
Computer ports are logical gateways through which traffic goes into and out
of a computer. Typically, open ports are dedicated for running services (e.g.
port 80 for a web server). Scanning for ports, allow the tester to check for
running services. Some services are vulnerable and therefore can be
exploited.

Port scanning programs report:

 Open ports
 Closed ports
 Filtered ports
 Best-guess OS
 Running services and their version

Common Ports

2 | Intrusion Detection | Lab Instructor Manual | Dr. Samer Aoudi | Updated October
2018
Task 1: Network Scanning (PING Tools)
Task Objectives
 You will use different ping tools to perform ping scans on
networks (sweeps) and on individual target hosts

1. Start your Kali and the two target VMs (XP and Metasploitable)
2. Get the IP address of Kali
What command did you
use?
Kali’s IP address

Using netdisocver, we will discover the IP addresses of the other VMs

What is netdiscover? active/passive ARP reconnaissance tool
How would you get
information about the
netdiscover tool?

3. Run the following command: netdisocver –r 192.168.40.128

Replace the IP address shown above with your Kali’s IP address

Netdiscover Output
What are the IP addresses Xp: 192.168.12.130
of Metasploitable: 192.168.12.129
your own XP and
Metasploitable?

4. Run a ping command on both targets

Note: The ping should work. If it didn’t, let your instructor know
 Pinging Targets

FPING
5. Run the following fping command (use the IP addresses of your own target
VMs):
fping -c 2 192.168.40.129 192.168.40.130

Fping Output
What does the –c option Number of pings
do?

fping is a program like ping which uses the Internet Control Message
Protocol (ICMP) echo request to determine if a target host is responding.
fping differs from ping in that you can specify any number of targets on
the command line, or
specify a file containing the lists of targets to ping.

NPING
6. Run the following nping command (use the IP addresses of your own target
VMs):
nping --icmp -c 2 192.168.40.129

What does the –c option Number of pings

do?
What does the --icmp To specify icmp probe mode
option
do?
What type and code are
sent?
What type and code are
received?
 NPING Probe Modes
Type Description ICMP Message Types

0 Echo Reply (Ping Reply, used with Type 8, Ping Request)

3 Destination Unreachable

4 Source Quench

5 Redirect

8 Echo Request (Ping Request, used with Type 0, Ping

Reply)
9 Router Advertisement (Used with Type 9)

10 Router Solicitation (Used with Type 10)

11 Time Exceeded

12 Parameter Problem

13 Timestamp Request (Used with Type 14)

14 Timestamp Reply (Used with Type 13)

 15 Information Request (obsolete) (Used with Type 16)

16 Information Reply (obsolete) (Used with Type 15)

17 Address Mask Request (Used with Type 17)

18 Address Mask Reply (Used with Type 18)

ICMP Message Types

7. According to the probe modes shown above, we can set the ICMP probe
modes. Based on the ICMP message types table, perform the following
scan:
o Packet count = 4
o Target = any of you target VMs
o Probe mode = ICMP
o ICMP type = Router solicitation
What command did you nping –icmp-type 10 -c 4 192.168.12.130
use?
Did you get any reply
back?

8. Repeat the above command but with ICMP type = 13

What command did you nping –icmp-type 13 -c 4 192.168.12.130
use?
Did you get any reply
back?

What information does the

reply contain?

Let us perform a network sweep using NPING

9. Run the following command (replace the IP range with your own target IP
range):
nping -c 1 192.168.40.0/24

Note that the ping sweep will take some time because we are sweeping the
entire network range (i.e. 256 possible hosts).
You will notice in the output that you received around 4 packets back (i.e. 4
hosts replied). The hosts that responded are your two targets + some internal
virtual hosts (e.g. virtual DHCP server).

Ping Sweep Output

How many packets were 152

sent?
How many packets were 3
received?
 How many packets were 149
lost?
How long did the sweep 152.17 seconds
take?

10. Repeat the network sweep on your target network but with the following
options:
o Number of packets c = 1
o Probe mode = TCP
o Target port = 80

How many packets were 36

sent?
How many packets were 2
received?
How many packets were 34
lost?
What does the output The webserver is running on 2 hosts
mean?

11. Open the web browser in your Kali and try the 3 different IP addresses
of the hosts that replied
What do you observe?
HPING3
HPING3 is a command line network tool able to send custom TCP/IP packets
and to display target replies like ping program does with ICMP replies.
HPING3 can target one host at a time so it cannot be used for ping
sweeps.

hping3 - send (almost) arbitrary TCP/IP packets to network hosts (man pages).

HPING3 Modes:
 UDP/TCP

12. In Kali, run an HPING3 command with following options:

o Mode: ICMP
o Packet count: 3
What command did you
use?

How many packets were 0

lost?

13. Turn on the XP firewall (don’t allow exceptions) and repeat the command
you used above

XP VM Firewall
Settings
How many packets were 3(100%)
lost?

Explain what happened This very important(The firewall would block- filter the
incoming connection packets. Kali send icmp packet and dose
when you turned the firewall not receive any replay
on
Other answer (The firewall will stop any icmp packets
since it will be filtered.)

14. Turn the firewall of in the XP VM

15. Run an HPING3 command with following options:
 o Mode: SYN scan
o Packet count: 3
What command did you
use?
Hping3 (ip add) -c 3 - S
How many packets were
lost? 0

What TCP flags were set in

the sent packets? s

What TCP flags were set in RA(RST+ ACK) can be seen in the packet information
the received packets?
 What was the source port?

What was destination Use wireshark

port?

16. Run an HPING3 command with following options:

o Mode: SYN scan
o Packet count: 3
o Source port 5151
What command did you
use?

17. In the Windows XP VM, right-click My Computer and select Properties

18. Select the Remote tab and check the Allow users to connect
remotely to this computer (if not checked already)

Allowing Remote Access

19. Turn on Windows Firewall (if not already on)
20. Click Exceptions tab and check the Remote Desktop option

Firewall Exceptions
21. Ensure Remote Desktop is checked. And click the Edit button
 What protocol and port
number does Remote
TCP 3389
Desktop use?

22. Run an HPING3 command with following options:

 o Mode: SYN scan
o Packet count: 3
o Source port: 5151
o Destination port: The Remote Desktop port you got from the previous
step
What command did you
use?

How many packets were

lost? 0

Why?
Because the firewall is allowing exceptions for port 3389
Task 2: Port Scanning (NMAP)
Task Objectives
 You will use NMAP to scan entire networks for live hosts, and
scan individual hosts to detect open ports and running
services.

Lab Network:
The security lab is set up in an isolated way allowing students to perform
network scans within the lab. Do NOT perform network scans outside the lab
environment.
VM Network:
If the lab is not set up to allow scanning of the lab network (i.e. bridged
VMs), students’ VMs should be configured to allow scanning their own virtual
network (i.e. NAT setup).

NMAP
nmap is a network exploration tool and security / port scanner (man pages)

nmap website: https://nmap.org/

Nmap ("Network Mapper") is a free and open source (license) utility for
network discovery and security auditing. Many systems and network
administrators also find it useful for tasks such as network inventory,
managing service upgrade schedules, and monitoring host or service
uptime.

Nmap uses raw IP packets in novel ways to determine what hosts are
available on the network, what services (application name and version) those
hosts are offering, what operating systems (and OS versions) they are
running, what type of packet filters/firewalls are in use, and dozens of other
characteristics. It was designed to rapidly scan large networks, but works
fine against single hosts.

In addition to the classic command-line Nmap executable, the Nmap

suite includes an advanced GUI and results viewer (Zenmap), a flexible
data transfer, redirection, and debugging tool (Ncat), a utility for
comparing scan results (Ndiff), and a packet generation and response
analysis tool (Nping).

NMAP Usage:
nmap [Scan Type(s)] [Options] {target
specification}
Scan Types:
Scan Options:

Ports

Versions

Scripts

Operating Systems

Firewalls

Output

Examples

More Examples
 What is the IP address of
your Kali VM?

What is the IP address of

your XP VM?

What is the IP address of

your Metasploitable VM?

1. Ensure your Kali, XP, and Metasploitable are all running

2. Perform the following NMAP scans and write the command for each
NMAP Command
SYN (Stealth)

TCP Connect
Null
FIN
ACK

XMAS

UDP

3. Run the scans with the XP VM firewall ON and write down the results:
Results with firewall on SYN TCP NULL FIN ACK XMAS UDP
Number of Open Ports
Number of Closed Ports
Number of Filtered Ports 1000 1000 1000
Number of Open | 1000 1000 1000 1000
Filtered
Number of Unfiltered
Ports
Scan Time 21.25 21.18 21.24 21.28 21.28 21.24 21.27
4. Run the scans with the XP firewall OFF and write down the results:
Results with firewall on SYN TCP NULL FIN ACK XMAS UDP
Number of Open Ports 8 8 10
Number of Closed Ports 992 992 1000 1000 1000 990
Number of Filtered Ports
Number of Open | 8
Filtered
Number of Unfiltered 1000
Ports
Scan Time 1.19 1.18 1.18 1.18 1.18 1.20 1.26
 Results
Results, especially scan time, will vary. The important thing is that students
are capable of retrieving and interpreting this information.

5. With the firewall off, perform a TCP scan on port 21 and show what
version of the service is running on that port
Command

Port 21
State Open
Service FTP
Version Microsoft FTPD

6. With the firewall off, perform a scan to detect the OS on the target
Command

Device Type General purpose

Running Microsoft Windows XP 2003
OS Details Microsoft Windows XP professional
Version Sp2

NMAP is capable of running advanced and deep scans. For your project, you are
expected to discover these techniques and utilize them. Otherwise, you won’t be
able to produce accurate results. Research and try the following:
7. Run a Deep Scan of all ports each one of your target hosts (XP and
Metasploitable). Your scan should include service version and OS detection
Command Nmap -sV -192.168.221.132 -p1-65535(this if you need to do
(XP) deep scanning )
 Command
(Meta)

Sometimes you want speed and efficiency in your scan. Research and try the
following:
8. Perform a version detection scan on one of your hosts targeting only open
ports
Command

9. Perform a fast scan

Command
 Sometimes you want to trick the target system by providing a number of
decoys. This option makes it look like those decoys are scanning the target
network. It does not hide your own IP, but it makes your IP one of a torrent of
others supposedly scanning the victim at the same time. Research and try the
following:
10. Perform a version detection scan on one of your target hosts using 2 decoys
(the other target host included)
Command
Review Questions
The following questions are based on the information and activities performed
in the activity you just completed.

1. How many port states does NMAP report and what are they?

1,000 TCP ports on the host target may show port 135/tcp

2. Which one is not part of the vulnerability detection phase of penetration

testing?
A. Vulnerability scanning
B. Network scanning
C. Port scanning
D. Exploiting vulnerabilities

3. Which tool can be used to perform a PING sweep?

A. NMAP
B. HPING3
C. Ping Sweeper
D. All of the above

4. What is the default destination port in HPING3?

A. Random
B. 80
C. 0
D. 65535

5. What is the default source port in HPING3?

A. Random
B. 80
C. 0
D. 65535

6. What command is used to save the output of an NMAP scan into a file
called
results on the target 192.166.1.12?

-oN