Skip to main content

Section 4.6 Lab: Scanning with Nmap

The program Nmap
 1 
nmap.org/book/
(aka "Network Mapper") is a free and open source utility which can be used to scan IP addresses and ports in a network and perform security auditing of a network. Despite being created back in 1997, Nmap remains the preeminent tool for network managers. We will use it in today’s lab.
For this lab, we again need to use Docker, so you can again choose a Github Codespace or a local Docker installation.

Subsection 4.6.1 Using Nmap in a Github Codespace

Go github.com/pearcej/security-nmap
 2 
github.com/pearcej/security-nmap
. Then:
  1. Fork this codespace into your own Github repository.
  2. Navigate to your repository on GitHub.
  3. Click the green Code button and select Codespaces.
  4. Click "Create codespace on main".
  5. Wait for the codespace to be created.
Be sure to either stop or delete this codespace when you are done by clicking the "Stop" button or the "Delete" button in the Codespaces tab of your repository.
Next, please follow the directions in Subsection 4.6.3.

Subsection 4.6.2 Using Nmap in a Local Docker installation

Start by downloading and extracting the files required. Download nmap.zip
 3 
github.com/rxt1077/it230/raw/main/labs/nmap.zip
and extract it to a directory you can access from the shell.

Subsection 4.6.3 Lab Instructions for Nmap

Open a shell in that directory (it should have a docker-compose.yml in it and a victim and scanner directory). Since we will be simulating multiple machines in this lab, we will make use of Docker Compose which was already installed with Docker. Docker Compose reads a docker-compose.yml file which should already be in your nmap directory.
To get started, run docker-compose up --build --detach to build and run the images in the background. You should see something like the following:
PS C:\Users\rxt1077\temp\nmap> docker-compose up --build --detach
Building victim
[+] Building 2.9s (15/15) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                   0.1s
 => => transferring dockerfile: 518B                                                                                                                   0.0s
 => [internal] load .dockerignore                                                                                                                      0.1s
 => => transferring context: 2B                                                                                                                        0.0s
 => [internal] load metadata for docker.io/library/debian:latest                                                                                       0.0s
 => [ 1/10] FROM docker.io/library/debian                                                                                                              0.0s
 => [internal] load build context                                                                                                                      0.0s
 => => transferring context: 640B                                                                                                                      0.0s
 => CACHED [ 2/10] RUN apt-get -y update                                                                                                               0.0s
 => CACHED [ 3/10] RUN apt-get -y install proftpd-basic                                                                                                0.0s
 => CACHED [ 4/10] RUN sed -i "1s/.*/root:$6$.DEC7ti\/4959zEK9$H7BPwBTz6tISYG8oZuhXLS5L3ZPYwdzzQNQTg8m4Ql3ebX9U\/afVhi4OSpK3mNTSpT8DefJ2USdWuT5DHOkRY  0.0s
 => [ 5/10] RUN sed -i "/^root/d" /etc/ftpusers                                                                                                        0.4s
 => [ 6/10] COPY bad.conf /etc/proftpd/conf.d/                                                                                                         0.0s
 => [ 7/10] RUN chsh -s /bin/bash ftp                                                                                                                  0.6s
 => [ 8/10] RUN mkdir -p /home/ftp/incoming                                                                                                            0.5s
 => [ 9/10] RUN cp /etc/shadow /home/ftp/incoming/shadow.backup                                                                                        0.6s
 => [10/10] RUN chown -R ftp.users /home/ftp                                                                                                           0.5s
 => exporting to image                                                                                                                                 0.2s
 => => exporting layers                                                                                                                                0.2s
 => => writing image sha256:dc9af53b250b4f7fcfbe5a6668a540bd02ebef0353c5927ed4591a512363e831                                                           0.0s
 => => naming to docker.io/library/nmap_victim                                                                                                         0.0s

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
Building scanner
[+] Building 0.1s (7/7) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                   0.0s
 => => transferring dockerfile: 111B                                                                                                                   0.0s
 => [internal] load .dockerignore                                                                                                                      0.0s
 => => transferring context: 2B                                                                                                                        0.0s
 => [internal] load metadata for docker.io/library/debian:latest                                                                                       0.0s
 => [1/3] FROM docker.io/library/debian                                                                                                                0.0s
 => CACHED [2/3] RUN apt-get -y update                                                                                                                 0.0s
 => CACHED [3/3] RUN apt-get -y install nmap ftp john                                                                                                  0.0s
 => exporting to image                                                                                                                                 0.0s
 => => exporting layers                                                                                                                                0.0s
 => => writing image sha256:14ba503b7925089023184d783c53c22c4167fdf2338df0e85143daedf8b458ac                                                           0.0s
 => => naming to docker.io/library/nmap_scanner                                                                                                        0.0s

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them
Starting nmap_scanner_1  ... done
Recreating nmap_victim_1 ... done
Now we actually have two containers running, one named victim which is our target machine and another named scanner which we will use to learn about nmap. Lets start a BASH shell on scanner and work from there. We can do this with the docker-compose run scanner bash command:
PS C:\Users\rxt1077\temp\nmap> docker-compose run scanner bash
Creating nmap_scanner_run ... done
root@7b6d733cc03a:/

Note 4.6.1.

Notice the prompt change. We are now inside the scanner container running BASH.
Lets use the Linux ip addr command to see what our IP address on this network is:
root@7b6d733cc03a:/# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
165: eth0@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:14:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.20.0.2/16 brd 172.20.255.255 scope global eth0
       valid_lft forever preferred_lft forever
We care about the eth0 device, so as you can see on my machine the address is 172.20.0.2. We will use nmap’s ping scan to search for any device within the last 8 bits of our IP address ( /24). You may notice that we are actually on a /16 subnet, but by limiting ourselves to /24 the scan will go much faster.
First, Identify the IP address of the machince of interest. Look for the IP address in your output that appeas on the line below the eth0 label. In the above, it is on the line that begins with inet. Then, use the nmap command to scan the network. Type nmap -sP <IP address> where <IP address> is the IP address you found above, followed by /24 to scan the network.
You should see something like the following:
root@7b6d733cc03a:/# nmap -sP 172.20.0.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-22 20:25 UTC
Nmap scan report for 172.20.0.1
Host is up (0.000076s latency).
MAC Address: 02:42:A6:CA:0D:77 (Unknown)
Nmap scan report for nmap_victim_1.nmap_default (172.20.0.3)
Host is up (0.000070s latency).
MAC Address: 02:42:AC:14:00:03 (Unknown)
Nmap scan report for 7b6d733cc03a (172.20.0.2)
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 5.78 seconds
In this instance, we found three other machines on the network. One of which is conveniently named victim.
Now lets do a full scan on on the victim machine. Docker Compose does a nice job of resolving DNS requests for sensible names in the docker-compose.yml file so we can refer to the host we want to scan as "victim". Type nmap victim to see the following:
root@7b6d733cc03a:/# nmap victim
Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-22 20:37 UTC
Nmap scan report for victim (172.20.0.3)
Host is up (0.000018s latency).
rDNS record for 172.20.0.3: nmap_victim_1.nmap_default
Not shown: 999 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
MAC Address: 02:42:AC:14:00:03 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.84 seconds
By default, nmap uses a SYN
 5 
www.techtarget.com/searchnetworking/definition/SYN-scanning
scan against well known ports. This type of scan is harder to detect (as it does not fully open a connection) and can be run quickly.

Question 4.6.3.

What ports are open on the victim machine? Why is this particular protocol insecure?
Nmap is capable of much more than just simple port scanning. Nmap includes version detection and OS fingerprinting (among other things). To get a much better picture of what exactly victim is running, you can use the -A option by typing ,nmap -A victim.
root@7b6d733cc03a:/# nmap -A victim
Starting Nmap 7.70 ( https://nmap.org ) at 2021-09-22 20:44 UTC
Nmap scan report for victim (172.20.0.3)
Host is up (0.000096s latency).
rDNS record for 172.20.0.3: nmap_victim_1.nmap_default
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x   1 ftp      users        4096 Sep 22 20:11 incoming
MAC Address: 02:42:AC:14:00:03 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=9/22%OT=21%CT=1%CU=44136%PV=Y%DS=1%DC=D%G=Y%M=0242AC%T
OS:M=614B95AE%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=109%TI=Z%CI=Z%TS=A
OS:)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B
OS:4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88
OS:)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
OS:T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A
OS:=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%D
OS:F=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=4
OS:0%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.10 ms nmap_victim_1.nmap_default (172.20.0.3)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.39 seconds

Question 4.6.4.

What additional information did you learn from the -A option? How do you think this could be exploited?
Now, using the scanner container you are currently on see what you can find out about victim. This man page may be of some help.
 6 
linux.die.net/man/1/ftp

Question 4.6.5.

BONUS: Remembering what you learned in the Hash it Out lab, what is the root password on the victim machine?
Hint.
Try locating the shadow file copy in the victim’s shared directory.

Question 4.6.6.

BONUS: How can you test to see if you got it right? What does this say about how ProFTP is configured on victim?
When you are all done poking around, you can exit the shell and run docker-compose down to stop victim from running in the background.

Note 4.6.7.

If you chose to use a Github codespace, don’t forget to stop or delete the codespace by clicking the "Stop" button or the "Delete" button in the Codespaces tab of your repository.
You have attempted 1 of 1 activities on this page.