Cyber Security Labs

CompTIA Cybersecurity Analyst (CySA+)
Contents
Topology Discovery Part 1.............................................................................................................. 1
Introduction ........................................................................................................................................ 2
Exam Objectives............................................................................................................................. 2
Lab Diagram .................................................................................................................................... 2
Connecting to your lab ................................................................................................................ 3
Exercise 1 - Basic Scanning............................................................................................................ 3
Task 1 - Connecting to Kali ........................................................................................................ 4
Task 2 - Show host interfaces and routes ............................................................................ 8
Task 3 - Scan a single host/IP address ................................................................................ 18
Task 4 - Scan a range and subnet .......................................................................................... 22
Task 5 - Scan a range excluding hosts/networks ............................................................ 30
Task 6 - Fast Scan ........................................................................................................................ 34
Exercise 2 - Discovering Network Topologies ..................................................................... 38
Task 1 - Host discovery using ping scan ............................................................................. 38
Task 2 - Port State ....................................................................................................................... 43
Task 3 - Display open ports only ........................................................................................... 47
Task 4 - Scan specific ports ..................................................................................................... 51
Task 5 - Tracenet to device....................................................................................................... 67
Exercise 3 - Topology Discovery against Firewalls ............................................................ 71
Task 1 - Identify and scan a firewall protected host ...................................................... 71
Task 2 - Scan with TCP SYN, ACK Ping ............................................................................... 80
Task 3 - Scan with UDP Ping ................................................................................................... 88
Summary ............................................................................................................................................ 92
Topology Discovery Part 1

• Introduction
• Exercise 1 - Basic Scanning
• Exercise 2 - Discovering Network Topologies
• Exercise 3 - Topology Discovery against Firewalls
1
• Summary
Introduction
The Topology Discovery Part 1 module provides you with the
instructions and devices to develop your hands-on skills in the following
topics.
• Basic Scanning
• Discovering Network Topologies
• Topology Discovery against Firewalls
Lab time: It will take approximately 1 hour to complete this lab.
Exam Objectives
The following exam objectives are covered in this lab:
• CS0-001 1.1: Given a scenario, apply environmental reconnaissance

techniques using appropriate tools and processes
• CS0-001 1.2: Given a scenario, analyze the results of a network
reconnaissance
Lab Diagram
During your session, you will have access to the following lab configuration.
Depending on the exercises you may or may not use all of the devices, but
they are shown here in the layout to get an overall understanding of the
topology of the lab.
2
Connecting to your lab
In this module, you will be working on the following equipment to carry out
the steps defined in each exercise.
• PLABDC01 (Windows Server 2012 R2 - Domain Controller)

• PLABDM01 (Windows Server 2012 R2 - Member Server)
• PLABWIN801 (Windows 8.1 - Domain Member)
• PLABWIN10 (Windows 10 - Domain Member)
• PLABKALI01 (Kali 2016.2)
To start, simply choose a device and click Power on. In some cases, the
devices may power on automatically.
Exercise 1 - Basic Scanning

Host Scanning is one of the first steps in network reconnaissance used to
reduce a set of IP ranges into a list of active or interesting hosts. Network
administrators may only be interested in hosts running a certain service,
3
while security auditors may care about every single device with an IP
address. Administrator’s may be comfortable using an ICMP ping to locate
hosts on the internal network, while an external penetration tester may use
a diverse set of probes to evade firewall restrictions as a ping scan itself
covers more than ICMP echo requests.
In this exercise you will complete the following tasks:
• Connect to your lab devices

• Show host interfaces and routes
• Scan a single host/IP address
• Scan a range and subnet
• Scan a range excluding hosts/networks
Please refer to your course material or use your favorite search engine to
research for more information about this topic.
Task 1 - Connecting to Kali
In this task, you will power on and connect to the lab devices used within
this exercise.
Step 1
Ensure you have powered on the required devices and connect
to PLABKALI01.
Type root in the Username field.
4
5
Figure 1.1 Screenshot of PLABKALI01: Typing root into the username field
on the login screen.
Step 2
When prompted, type the following password in the Password field:
Passw0rd
Click Sign In.
6
7
Figure 1.2 Screenshot of PLABKALI01: Entering the password in the
Password text box and then clicking Sign In.
Step 3
The PLABKALI01 desktop is displayed.
Task 2 - Show host interfaces and routes
This is a very useful command to list the connections to the device which
are active on the Ethernet port; this will also detail if there are connection
considerations which must be made before scanning other devices.
Step 1
On the desktop, in the left pane, click the Terminal icon.
8
9
Figure 1.4 Screenshot of PLABKALI01: Clicking the Terminal icon in the
left pane.
Step 2
At the command prompt of the terminal window, type the following
command:
nmap
10
11
Figure 1.5 Screenshot of PLABKALI01: Typing the nmap command on the
terminal window.
This will immediately begin the nmap program within the terminal screen.
12
13
Figure 1.6 Screenshot of PLABKALI01: Displaying the output of the nmap
command.
Step 3
Type the following command into the terminal:
nmap --iflist
14
15
Figure 1.7 Screenshot of PLABKALI01: Typing the nmap --iflist command.
The output displays the IP/MASK for each device, along with their MAC
addresses essential for connecting to the network. We also see some
Metrics for the devices which is useful when monitoring the Routing Paths.
16
17
Figure 1.8 Screenshot of PLABKALI01: Displaying the output of the nmap -
-iflist command.
Task 3 - Scan a single host/IP address
We will now map a single IP address on the topology.
Step 1
Now we will place an IP address into the command to begin a scan.
i.e. nmap (ip address)
nmap 192.168.0.4
18
19
Figure 1.9 Screenshot of PLABKALI01: Typing the nmap command with the
IP address.
In the output, you will see the port information, the state of the port which
is listed as open, and the service which is running on that port. These can
then be used for further investigations.
20
21
command with an IP address.
Task 4 - Scan a range and subnet
In the previous task, you used NMAP to scan a single IP address. You will
now use NMAP to scan an IP range and developing the topology further.
Step 1
If we wish to scan a range of addresses for information, then we can simply
place each address into NMAP one after the other or range the values as
seen in the second command below.
nmap 192.168.0.1 192.168.0.2 192.168.0.3

192.168.0.4 192.168.0.5 192.168.0.10
Note: An alternative way of scanning this range would be to scan with
the following syntax: nmap 192.168.0.1-10
22
23
Figure 1.11 Screenshot of PLABKALI01: Typing the nmap command with a
range of IP addresses.
In the output, you will see the port information on all the 6 IP addresses.
24
25
command with a range of IP addresses.
Step 2
Type the following command into the terminal to scan for a subnet:
nmap 192.168.0.0/20
This will immediately begin the program within the terminal screen.
Note: The subnet scan can take a while to perform so you might wish
to cancel the scan should time be a consideration:
26
27
Figure 1.13 Screenshot of PLABKALI01: Typing the nmap command to scan
for a subnet
The below command will stop the process from running and return you to
the console prompt.
Ctrl-C
The output will show all the devices listed in the lab, numbered from
192.168.0.1 through to 192.168.0.10
28
29
Figure 1.14 Screenshot of PLABKALI01: Displaying the output after
scanning for a subnet
Task 5 - Scan a range excluding hosts/networks
Often the most common range of IP is scanned without scanning all the
devices; this is useful because scanning can take a while to produce and
time is critical in these events. Therefore, in this task asking nmap to
exclude devices helps to reduce the scanning time.
Step 1
Type in the following command
nmap 192.168.0.1-5 --exclude 192.168.0.2
30
31
Figure 1.15 Screenshot of PLABKALI01: Typing the nmap scan with exclude
function.
Notice in the output there is no result for the IP address 192.168.0.2 as we

asked nmap to exclude this address.
32
33
scan with exclude function.
Task 6 - Fast Scan
You may wish to use a Fast Scan if you are scanning a very large network.
This can be used to provide details when time is of the essence.
Step 1
Type in the following command seen below:
nmap -F 192.168.0.1
34
35
Figure 1.17 Screenshot of PLABKALI01: Typing the command for nmap fast
scan.
Notice in the scan where ‘-F’ was applied the scan time was 14.27 seconds
where as a normal nmap scan had a result of 17.94 seconds.
36
37
Figure 1.18 Screenshot of PLABKALI01: Displaying the output for nmap
fast scan.
Leave all devices powered on in their current state and proceed to the
next exercise.
Exercise 2 - Discovering Network Topologies

Discovering the topology of a network helps to display what devices are
active or in fact inactive. An Analyst uses this process of discovering
information about network devices and their interconnections to create a
topology map that displays how the devices in the network are connected.
This helps to monitor the network and ensure that the network is
functioning effectively. You can identify weaknesses in the network
infrastructure, such as bottlenecks and failures within a network, and
isolate problem areas when you are troubleshooting network problems.
• Host discovery using ping scan

• Port State
• Display open ports only
• Scan specific ports
• Tracenet to device
Task 1 - Host discovery using ping scan
With the basics covered, we can now use techniques to learn about the
devices in the vicinity where the following syntax is used for a ping scan.
-sP
Step 1
38
Clear the screen by entering the following command:
clear
nmap -sP 192.168.0.1-10
39
40
Figure 2.1 Screenshot of PLABKALI01: Typing the command for Ping Scan.
The output shows the result of ping, scanning across the network looking
for which devices are considered to be ‘up’ in state. This means devices are
ready to receive network communications.
41
42
Figure 2.2 Screenshot of PLABKALI01: Displaying the output for Ping Scan.
Task 2 - Port State
Now we can scan one IP for the ports and the state of those ports to learn
more about the device using the following syntax.
--reason
Step 1
nmap --reason 192.168.0.1
43
44
Figure 2.3 Screenshot of PLABKALI01: Typing the command to find the
state of ports.
The output shows that NMAP provides us with reason information of a syn-
ack packet using a TTL or time to live frame of 128.
45
46
Figure 2.4 Screenshot of PLABKALI01: Output displaying the state of ports.
Task 3 - Display open ports only
The syntax is used for open ports only when we are specifically looking for
obvious ports which are usually broadcasting traffic.
--open
Step 1
nmap --open 192.168.0.1
47
48
Figure 2.5 Screenshot of PLABKALI01: Typing the command to scan for
open ports.
Once we are familiar with NMAP and network mapping, we can cut down
our port scanning to only those we are interested in. The below image
displays output for those ports which are open only.
49
50
Figure 2.6 Screenshot of PLABKALI01: Output displaying the open ports.
Task 4 - Scan specific ports
In this task, you will scan specific ports number 80 used for HTTP traffic as
typically if the device is connected to the internet it will have this function
operating.
-p (p1) (Ipaddress)
Step 1
We will choose a port of interest which usually has traffic passing through
it.
Port 80 for http.
nmap -p 80 192.168.0.1
51
52
Figure 2.7 Screenshot of PLABKALI01: Typing the command to scan
specific ports 80.
In the output we can see the device is ‘up’ but port 80 is in a ‘closed’ state,
we can also confirm this is the service used by http, it is using a MAC
address which is associated with Microsoft.
53
54
scanning for specific ports.
Step 2
If we wish to specify TCP traffic only for a specific port scan, we might
choose a TCP packet on Port 464 holding the kpasswd5.
-p T:(p1) (Ipaddress)
nmap -p T:464 192.168.0.1
55
56
Figure 2.9 Screenshot of PLABKALI01: Typing the command for a specific
sport scan with TCP traffic.
The output shows the state of the TCP port 464 on the device address
192.168.0.1 which is ‘open’.
57
58
Figure 2.10 Screenshot of PLABKALI01: Displaying the output showing the
state of the TCP port.
Step 3
You’ll now scan two ports, 139 and 464, for netbios-ssn and kpasswd5.
-p (p1, p2) (Ipaddress)
For example, type the following command into the terminal:
nmap -p 139,464 192.168.0.1
59
60
Figure 2.11 Screenshot of PLABKALI01: Typing the command to scan for 2
ports.
The output demonstrates the usage of scanning 2 ports on the same device,
which are both found to be open.
61
62
scanning for 2 ports.
Step 4
You’ll now scan port ranges on a device from 80-500.
-p (ip1-ip2) (Ipaddress)
nmap -p 80-500 192.168.0.1
63
64
Figure 2.13 Screenshot of PLABKALI01: Typing the command to scan for a
port range.
With a single device, the below result for 192.168.0.1 shows only the
specified range of ports from 80-500 which responded.
65
66
scanning for a port range.
Task 5 - Tracenet to device
Tracenet helps to details how packets are crossing the network by recording
all the packets sent and received, this produces quite a lot of data.
Step 1
clear
nmap --packet-trace 192.168.0.1
67
68
Figure 2.15 Screenshot of PLABKALI01: Typing the nmap command to
perform a packet trace.
Here tracenet produced information using ARP to identify 192.168.0.1 and

respond with these details back to 192.168.0.3. Then a series of packets
were sent to 192.168.0.1 to detail its approximate location in terms of time
from 192.168.0.3.
69
70
Figure 2.16 Screenshot of PLABKALI01: Displaying the output after a
packet trace.
Leave all devices powered on in their current state and proceed to the
next exercise.
Exercise 3 - Topology Discovery against Firewalls

Firewalls are often used to block or not respond to Ping requests, using a
basic ping scan will not return a positive “up” result, even though the device
actually exists. Therefore, we can use other types of scanning techniques to
receive an acknowledgment from a device which is behind a firewall.
• Identify and scan a firewall protected host

• Scan with TCP SYN, ACK Ping
• Scan with UDP Ping
Task 1 - Identify and scan a firewall protected host
In this task, you will run a command which will locate hosts that are
firewall protected. This is useful as firewalls might be set to filter traffic
packets and appear as though they are not present on the network.
We will begin by first identifying a host using the following syntax.
-sA
Step 1
71
clear
nmap -sA 192.168.0.5
72
73
Figure 3.1 Screenshot of PLABKALI01: Typing the nmap command for
firewall identification.
If you refer back to the diagram in the introduction of this module, you will
notice that there is a Windows 8 device listed with the IP address
192.168.0.5. Looking at our NMAP scan, it shows that this device is behind
an active firewall.
We wouldn’t normally have a response from a ping scan. However, NMAP

can look through a non-request from IPV4 and still tell us that a device
exists at this location.
74
75
Figure 3.2 Screenshot of PLABKALI01: Displaying the output for firewall
identification.
Step 2
The following command scans every IP, whether it shows an available host
or not.
-PN
nmap -PN 192.168.0.5
76
77
Figure 3.3 Screenshot of PLABKALI01: Typing the nmap command for
scanning firewall host.
The output shows that the device is ‘up’ and also the services which are
running on that device with 998 filtered ports.
78
79
scanning for a firewall host.
Task 2 - Scan with TCP SYN, ACK Ping
In this task, you will perform a scan using TCP, SYN and ACK Ping. If ICMP
pings are blocked, other methods are worth testing against the device.
This command sends an empty TCP packet with the SYN flag set. This
suggests to the remote system that you are attempting to connect but if the
port is open it will send respond to the three-way handshake.
Step 1
We can also target the scan at specific ports of interest.
-PS
By default, the -PS attempts to connect to Port 80 regardless of the firewall

which can sometimes force a device to respond with an acknowledgment,
however, if we wish to specify a port list, then we can alter this as seen
below.
Note: There is no space between the -PS and port list.
nmap -PS80,21,443 192.168.0.2
80
81
Figure 3.5 Screenshot of PLABKALI01: Typing the nmap command for SYN
scan against port 80.
Here we see a response from the device, notice, however, there is no

response from the selected ports or 80, 21 and 443.
82
83
Figure 3.6 Screenshot of PLABKALI01: Displaying the output after SYN
scan against port 80.
Step 2
The following command is similar to the -PS command but uses the ACK
flag in the three-way handshake. The purpose is to acknowledge data over a
supposed connection where none exists. Responding hosts then send back
an RST flag giving away their presence.
-PA
Note: there is no space between the -PA and port list.
nmap -PA80,21,200-512 192.168.0.2
84
85
Figure 3.7 Screenshot of PLABKALI01: Typing the nmap command to
perform ACK scan against port 80 and 21.
Again we have no response from the selected ports therefore in terms of

nmap scanning these ports have been secured for these types of protocol
scanning.
86
87
Figure 3.8 Screenshot of PLABKALI01: Displaying the output after the ACK
scan was performed.
Task 3 - Scan with UDP Ping
In this task, you will scan using UDP ping. Ping scans are used to determine
if a host is responding and can be considered online. UDP ping scans have
the advantage of being capable of detecting systems behind firewalls with
strict TCP filtering leaving the UDP traffic forgotten.
The following command assists with tracking UDP pings used for bypassing
firewalls and filters that only screen TCP traffic.
Step 1
nmap -sP -PU 192.168.0.2
88
89
Figure 3.9 Screenshot of PLABKALI01:Typing the nmap command for UDP
ping scan.
The output from the UDP ping scan shows that there is is a device active at
the address 192.168.0.2.
90
91
Figure 3.10 Screenshot of PLABKALI01:Displaying the output after the
UDP ping scan.
Shut down all virtual machines used in this exercise using Practice Labs
power button function to revert these devices to their default settings.
Alternatively, you may sign out of the lab portal to power down all
devices.
Summary
You covered the following activities in this module:
• Basic Scanning
• Discovering Network Topologies
• Topology Discovery against Firewalls
• Configuring Windows Server 2016 Standard
92

Cyber Security Labs

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Security Labs

Uploaded by

Copyright:

Available Formats

CompTIA Cybersecurity Analyst (CySA+)

Topology Discovery Part 1

Lab time: It will take approximately 1 hour to complete this lab.

The following exam objectives are covered in this lab:

• CS0-001 1.1: Given a scenario, apply environmental reconnaissance

• PLABDC01 (Windows Server 2012 R2 - Domain Controller)

Exercise 1 - Basic Scanning

In this exercise you will complete the following tasks:

• Connect to your lab devices

Task 1 - Connecting to Kali

Type root in the Username field.

Task 2 - Show host interfaces and routes

Task 3 - Scan a single host/IP address

We will now map a single IP address on the topology.

i.e. nmap (ip address)

Task 4 - Scan a range and subnet

Type the following command into the terminal:

nmap 192.168.0.1 192.168.0.2 192.168.0.3

Note: An alternative way of scanning this range would be to scan with

the following syntax: nmap 192.168.0.1-10

to cancel the scan should time be a consideration:

Task 5 - Scan a range excluding hosts/networks

nmap 192.168.0.1-5 --exclude 192.168.0.2

Notice in the output there is no result for the IP address 192.168.0.2 as we

Task 6 - Fast Scan

Exercise 2 - Discovering Network Topologies

In this exercise you will complete the following tasks:

• Host discovery using ping scan

Task 1 - Host discovery using ping scan

Type the following command into the terminal:

nmap -sP 192.168.0.1-10

Task 2 - Port State

nmap --reason 192.168.0.1

Task 3 - Display open ports only

nmap --open 192.168.0.1

Task 4 - Scan specific ports

Port 80 for http.

Type the following command into the terminal:

Type the following command into the terminal:

nmap -p T:464 192.168.0.1

-p (p1, p2) (Ipaddress)

For example, type the following command into the terminal:

nmap -p 139,464 192.168.0.1

Type the following command into the terminal:

nmap -p 80-500 192.168.0.1

Task 5 - Tracenet to device

Type the following command into the terminal:

nmap --packet-trace 192.168.0.1

Here tracenet produced information using ARP to identify 192.168.0.1 and

Exercise 3 - Topology Discovery against Firewalls

In this exercise you will complete the following tasks:

• Identify and scan a firewall protected host

Task 1 - Identify and scan a firewall protected host

We will begin by first identifying a host using the following syntax.

Type the following command into the terminal:

nmap -sA 192.168.0.5

We wouldn’t normally have a response from a ping scan. However, NMAP

Type the following command into the terminal:

nmap -PN 192.168.0.5

Task 2 - Scan with TCP SYN, ACK Ping

By default, the -PS attempts to connect to Port 80 regardless of the firewall

Note: There is no space between the -PS and port list.

Type the following command into the terminal:

nmap -PS80,21,443 192.168.0.2