Professional Documents
Culture Documents
Topology
Objectives
Part 1: Perform a Nmap network discovery scan
Part 2: Compare a Nmap TCP default port scan and full scan
Part 3: Perform a Nmap UDP Scan
Part 4: Perform Nmap OS and Service Foot Printing
Background / Scenario
Nmap, or “Network mapper,” is a free and open source network port scanner. It can be used to test IoT
devices and firewalls for open, closed, or filtered ports and additionally can provide an inventory of devices
and services available on a network. Nmap uses the TCP header flag fields URG, ACK, PSH, RST, SYN,
FIN, shown in the diagram, to accomplish its scans. It also uses other protocols such as UDP, ICMP and a
built-in database of known OS and application signatures. Nmap is included with Kali, but can also be
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 6 www.netacad.com
Lab - Port Scanning an IoT Device
downloaded from https://nmap.org/. A comprehensive reference about how Nmap works and how it is used is
available at the Nmap website.
Required Resources
• Raspberry Pi 3 Model B or later
• 8GB Micro SD card (minimum required)
• PC with IoTSec Kali VM
• Network connectivity between PC and Raspberry Pi
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 6 www.netacad.com
Lab - Port Scanning an IoT Device
Refer to the man page and complete the table below. There are many other resources available online to
help you learn Nmap.
f. Perform a scan on your network by specifying the network address and bit mask.
root@kali:~# nmap 203.0.113.0/24
What is the IP address of the Raspberry Pi?
____________________________________________________________________________________
g. Sometimes a device would not reply to Nmap’s initial network discovery scan because of a firewall,
IDS/IPS system etc. Instead of relying on the initial scan to discover hosts that are alive for further
scanning, we can use Nmap to scan the network by assuming all hosts are alive.
root@kali:~# nmap -Pn 203.0.113.0/24
What is the IP address and MAC address of your Raspberry PI?
____________________________________________________________________________________
____________________________________________________________________________________
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 6 www.netacad.com
Lab - Port Scanning an IoT Device
c. There can be a lot of traffic on the network. A display filter is applied to limit the number of captured
packets displayed to just those that you are interested in. The interesting traffic is between the IP address
of the Kali VM and the Raspberry Pi. Replace IP address of the Raspberry Pi with the IP address
Apply the following display filter in Wireshark using IP address of Kali VM as the source address and IP
address of your Raspberry Pi as the destination address.
ip.src == 203.0.113.1 && ip.dst == 203.0.113.13
As an example in this lab, the IP address for the Raspberry Pi is 203.0.113.13.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 6 www.netacad.com
Lab - Port Scanning an IoT Device
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 6 www.netacad.com
Lab - Port Scanning an IoT Device
d. We can sometimes identify a device by looking at the time to live (TTL) field of a local ping response,
which varies by device OS. See the table below:
Cisco 255
Windows 128
Linux 64
In the Kali VM terminal, enter the command to ping your Raspberry Pi with 4 ICMP packets.
root@kali:~# ping -c4 203.0.113.13
What is the response time? Is it consistent with the Nmap identification?
____________________________________________________________________________________
____________________________________________________________________________________
e. Stop the Wireshark capture when finished.
What is different in the port identification from the Nmap TCP scan in Part 2 of the lab and this application
service scan? What implications does this have for IoT security?
____________________________________________________________________________________
____________________________________________________________________________________
What additional functions does this scan also perform?
____________________________________________________________________________________
____________________________________________________________________________________
c. Stop the Wireshark capture when finished.
2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 6 www.netacad.com