Professional Documents
Culture Documents
Contents
Topology Discovery Part 1.............................................................................................................. 1
Introduction ........................................................................................................................................ 2
Exam Objectives............................................................................................................................. 2
Lab Diagram .................................................................................................................................... 2
Connecting to your lab ................................................................................................................ 3
Exercise 1 - Basic Scanning............................................................................................................ 3
Task 1 - Connecting to Kali ........................................................................................................ 4
Task 2 - Show host interfaces and routes ............................................................................ 8
Task 3 - Scan a single host/IP address ................................................................................ 18
Task 4 - Scan a range and subnet .......................................................................................... 22
Task 5 - Scan a range excluding hosts/networks ............................................................ 30
Task 6 - Fast Scan ........................................................................................................................ 34
Exercise 2 - Discovering Network Topologies ..................................................................... 38
Task 1 - Host discovery using ping scan ............................................................................. 38
Task 2 - Port State ....................................................................................................................... 43
Task 3 - Display open ports only ........................................................................................... 47
Task 4 - Scan specific ports ..................................................................................................... 51
Task 5 - Tracenet to device....................................................................................................... 67
Exercise 3 - Topology Discovery against Firewalls ............................................................ 71
Task 1 - Identify and scan a firewall protected host ...................................................... 71
Task 2 - Scan with TCP SYN, ACK Ping ............................................................................... 80
Task 3 - Scan with UDP Ping ................................................................................................... 88
Summary ............................................................................................................................................ 92
1
• Summary
Introduction
The Topology Discovery Part 1 module provides you with the
instructions and devices to develop your hands-on skills in the following
topics.
• Basic Scanning
• Discovering Network Topologies
• Topology Discovery against Firewalls
Exam Objectives
Lab Diagram
During your session, you will have access to the following lab configuration.
Depending on the exercises you may or may not use all of the devices, but
they are shown here in the layout to get an overall understanding of the
topology of the lab.
2
Connecting to your lab
In this module, you will be working on the following equipment to carry out
the steps defined in each exercise.
To start, simply choose a device and click Power on. In some cases, the
devices may power on automatically.
3
while security auditors may care about every single device with an IP
address. Administrator’s may be comfortable using an ICMP ping to locate
hosts on the internal network, while an external penetration tester may use
a diverse set of probes to evade firewall restrictions as a ping scan itself
covers more than ICMP echo requests.
Please refer to your course material or use your favorite search engine to
research for more information about this topic.
In this task, you will power on and connect to the lab devices used within
this exercise.
Step 1
Ensure you have powered on the required devices and connect
to PLABKALI01.
4
5
Figure 1.1 Screenshot of PLABKALI01: Typing root into the username field
on the login screen.
Step 2
When prompted, type the following password in the Password field:
Passw0rd
Click Sign In.
6
7
Figure 1.2 Screenshot of PLABKALI01: Entering the password in the
Password text box and then clicking Sign In.
Step 3
The PLABKALI01 desktop is displayed.
This is a very useful command to list the connections to the device which
are active on the Ethernet port; this will also detail if there are connection
considerations which must be made before scanning other devices.
Step 1
On the desktop, in the left pane, click the Terminal icon.
8
9
Figure 1.4 Screenshot of PLABKALI01: Clicking the Terminal icon in the
left pane.
Step 2
At the command prompt of the terminal window, type the following
command:
nmap
10
11
Figure 1.5 Screenshot of PLABKALI01: Typing the nmap command on the
terminal window.
This will immediately begin the nmap program within the terminal screen.
12
13
Figure 1.6 Screenshot of PLABKALI01: Displaying the output of the nmap
command.
Step 3
Type the following command into the terminal:
nmap --iflist
14
15
Figure 1.7 Screenshot of PLABKALI01: Typing the nmap --iflist command.
The output displays the IP/MASK for each device, along with their MAC
addresses essential for connecting to the network. We also see some
Metrics for the devices which is useful when monitoring the Routing Paths.
16
17
Figure 1.8 Screenshot of PLABKALI01: Displaying the output of the nmap -
-iflist command.
Step 1
Now we will place an IP address into the command to begin a scan.
nmap 192.168.0.4
18
19
Figure 1.9 Screenshot of PLABKALI01: Typing the nmap command with the
IP address.
In the output, you will see the port information, the state of the port which
is listed as open, and the service which is running on that port. These can
then be used for further investigations.
20
21
Figure 1.10 Screenshot of PLABKALI01: Displaying the output of the nmap
command with an IP address.
In the previous task, you used NMAP to scan a single IP address. You will
now use NMAP to scan an IP range and developing the topology further.
Step 1
If we wish to scan a range of addresses for information, then we can simply
place each address into NMAP one after the other or range the values as
seen in the second command below.
22
23
Figure 1.11 Screenshot of PLABKALI01: Typing the nmap command with a
range of IP addresses.
In the output, you will see the port information on all the 6 IP addresses.
24
25
Figure 1.12 Screenshot of PLABKALI01: Displaying the output of the nmap
command with a range of IP addresses.
Step 2
Type the following command into the terminal to scan for a subnet:
nmap 192.168.0.0/20
This will immediately begin the program within the terminal screen.
Note: The subnet scan can take a while to perform so you might wish
26
27
Figure 1.13 Screenshot of PLABKALI01: Typing the nmap command to scan
for a subnet
The below command will stop the process from running and return you to
the console prompt.
Ctrl-C
The output will show all the devices listed in the lab, numbered from
192.168.0.1 through to 192.168.0.10
28
29
Figure 1.14 Screenshot of PLABKALI01: Displaying the output after
scanning for a subnet
Often the most common range of IP is scanned without scanning all the
devices; this is useful because scanning can take a while to produce and
time is critical in these events. Therefore, in this task asking nmap to
exclude devices helps to reduce the scanning time.
Step 1
Type in the following command
30
31
Figure 1.15 Screenshot of PLABKALI01: Typing the nmap scan with exclude
function.
32
33
Figure 1.16 Screenshot of PLABKALI01: Displaying the output of the nmap
scan with exclude function.
You may wish to use a Fast Scan if you are scanning a very large network.
This can be used to provide details when time is of the essence.
Step 1
Type in the following command seen below:
nmap -F 192.168.0.1
34
35
Figure 1.17 Screenshot of PLABKALI01: Typing the command for nmap fast
scan.
Notice in the scan where ‘-F’ was applied the scan time was 14.27 seconds
where as a normal nmap scan had a result of 17.94 seconds.
36
37
Figure 1.18 Screenshot of PLABKALI01: Displaying the output for nmap
fast scan.
Leave all devices powered on in their current state and proceed to the
next exercise.
Please refer to your course material or use your favorite search engine to
research for more information about this topic.
With the basics covered, we can now use techniques to learn about the
devices in the vicinity where the following syntax is used for a ping scan.
-sP
Step 1
38
Clear the screen by entering the following command:
clear
39
40
Figure 2.1 Screenshot of PLABKALI01: Typing the command for Ping Scan.
The output shows the result of ping, scanning across the network looking
for which devices are considered to be ‘up’ in state. This means devices are
ready to receive network communications.
41
42
Figure 2.2 Screenshot of PLABKALI01: Displaying the output for Ping Scan.
Now we can scan one IP for the ports and the state of those ports to learn
more about the device using the following syntax.
--reason
Step 1
Type the following command into the terminal:
43
44
Figure 2.3 Screenshot of PLABKALI01: Typing the command to find the
state of ports.
The output shows that NMAP provides us with reason information of a syn-
ack packet using a TTL or time to live frame of 128.
45
46
Figure 2.4 Screenshot of PLABKALI01: Output displaying the state of ports.
The syntax is used for open ports only when we are specifically looking for
obvious ports which are usually broadcasting traffic.
--open
Step 1
Type the following command into the terminal:
47
48
Figure 2.5 Screenshot of PLABKALI01: Typing the command to scan for
open ports.
Once we are familiar with NMAP and network mapping, we can cut down
our port scanning to only those we are interested in. The below image
displays output for those ports which are open only.
49
50
Figure 2.6 Screenshot of PLABKALI01: Output displaying the open ports.
In this task, you will scan specific ports number 80 used for HTTP traffic as
typically if the device is connected to the internet it will have this function
operating.
-p (p1) (Ipaddress)
Step 1
We will choose a port of interest which usually has traffic passing through
it.
nmap -p 80 192.168.0.1
51
52
Figure 2.7 Screenshot of PLABKALI01: Typing the command to scan
specific ports 80.
In the output we can see the device is ‘up’ but port 80 is in a ‘closed’ state,
we can also confirm this is the service used by http, it is using a MAC
address which is associated with Microsoft.
53
54
Figure 2.8 Screenshot of PLABKALI01: Displaying the output after
scanning for specific ports.
Step 2
If we wish to specify TCP traffic only for a specific port scan, we might
choose a TCP packet on Port 464 holding the kpasswd5.
-p T:(p1) (Ipaddress)
55
56
Figure 2.9 Screenshot of PLABKALI01: Typing the command for a specific
sport scan with TCP traffic.
The output shows the state of the TCP port 464 on the device address
192.168.0.1 which is ‘open’.
57
58
Figure 2.10 Screenshot of PLABKALI01: Displaying the output showing the
state of the TCP port.
Step 3
You’ll now scan two ports, 139 and 464, for netbios-ssn and kpasswd5.
59
60
Figure 2.11 Screenshot of PLABKALI01: Typing the command to scan for 2
ports.
The output demonstrates the usage of scanning 2 ports on the same device,
which are both found to be open.
61
62
Figure 2.12 Screenshot of PLABKALI01: Displaying the output after
scanning for 2 ports.
Step 4
You’ll now scan port ranges on a device from 80-500.
-p (ip1-ip2) (Ipaddress)
63
64
Figure 2.13 Screenshot of PLABKALI01: Typing the command to scan for a
port range.
With a single device, the below result for 192.168.0.1 shows only the
specified range of ports from 80-500 which responded.
65
66
Figure 2.14 Screenshot of PLABKALI01: Displaying the output after
scanning for a port range.
Tracenet helps to details how packets are crossing the network by recording
all the packets sent and received, this produces quite a lot of data.
Step 1
Clear the screen by entering the following command:
clear
67
68
Figure 2.15 Screenshot of PLABKALI01: Typing the nmap command to
perform a packet trace.
69
70
Figure 2.16 Screenshot of PLABKALI01: Displaying the output after a
packet trace.
Leave all devices powered on in their current state and proceed to the
next exercise.
Please refer to your course material or use your favorite search engine to
research for more information about this topic.
In this task, you will run a command which will locate hosts that are
firewall protected. This is useful as firewalls might be set to filter traffic
packets and appear as though they are not present on the network.
-sA
Step 1
Clear the screen by entering the following command:
71
clear
72
73
Figure 3.1 Screenshot of PLABKALI01: Typing the nmap command for
firewall identification.
If you refer back to the diagram in the introduction of this module, you will
notice that there is a Windows 8 device listed with the IP address
192.168.0.5. Looking at our NMAP scan, it shows that this device is behind
an active firewall.
74
75
Figure 3.2 Screenshot of PLABKALI01: Displaying the output for firewall
identification.
Step 2
The following command scans every IP, whether it shows an available host
or not.
-PN
76
77
Figure 3.3 Screenshot of PLABKALI01: Typing the nmap command for
scanning firewall host.
The output shows that the device is ‘up’ and also the services which are
running on that device with 998 filtered ports.
78
79
Figure 3.4 Screenshot of PLABKALI01: Displaying the output after
scanning for a firewall host.
In this task, you will perform a scan using TCP, SYN and ACK Ping. If ICMP
pings are blocked, other methods are worth testing against the device.
This command sends an empty TCP packet with the SYN flag set. This
suggests to the remote system that you are attempting to connect but if the
port is open it will send respond to the three-way handshake.
Step 1
We can also target the scan at specific ports of interest.
-PS
80
81
Figure 3.5 Screenshot of PLABKALI01: Typing the nmap command for SYN
scan against port 80.
82
83
Figure 3.6 Screenshot of PLABKALI01: Displaying the output after SYN
scan against port 80.
Step 2
The following command is similar to the -PS command but uses the ACK
flag in the three-way handshake. The purpose is to acknowledge data over a
supposed connection where none exists. Responding hosts then send back
an RST flag giving away their presence.
-PA
84
85
Figure 3.7 Screenshot of PLABKALI01: Typing the nmap command to
perform ACK scan against port 80 and 21.
86
87
Figure 3.8 Screenshot of PLABKALI01: Displaying the output after the ACK
scan was performed.
In this task, you will scan using UDP ping. Ping scans are used to determine
if a host is responding and can be considered online. UDP ping scans have
the advantage of being capable of detecting systems behind firewalls with
strict TCP filtering leaving the UDP traffic forgotten.
The following command assists with tracking UDP pings used for bypassing
firewalls and filters that only screen TCP traffic.
Step 1
Type the following command into the terminal:
88
89
Figure 3.9 Screenshot of PLABKALI01:Typing the nmap command for UDP
ping scan.
The output from the UDP ping scan shows that there is is a device active at
the address 192.168.0.2.
90
91
Figure 3.10 Screenshot of PLABKALI01:Displaying the output after the
UDP ping scan.
Shut down all virtual machines used in this exercise using Practice Labs
Alternatively, you may sign out of the lab portal to power down all
devices.
Summary
You covered the following activities in this module:
• Basic Scanning
• Discovering Network Topologies
• Topology Discovery against Firewalls
• Configuring Windows Server 2016 Standard
92