In this lab, the student will use the following utility programs to perform various scanning tasks. The objective is developing the scanning skills needed by ethical hackers and security auditors.
Fping is different from ping in many ways. With Fping, you can specify a file containing the lists of hosts to ping. Another key difference is that instead of trying one host until it timeouts or replies, Fping will send out a ping packet and move on to the next host in a round-robin fashion. If a host replies, it is noted and removed from the list of hosts to check. If a host does not respond within a certain time limit and/or retry limit, it will be considered unreachable.
Hping is a packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks. It is implemented in the Nmap security scanner. The new version of hping, hping3, is scriptable using the TCL language. It is a good tool for crafting IP packets.
tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. It works on most Unix-like operating systems using the libpcap library to capture packets. There is also a tcpdump for Windows called WinDump; which uses the WinPcap library. In some Unix-like operating systems, a user must have superuser privileges to use tcpdump. However, the -Z option may be used to drop privileges to a specific unprivileged user after capturing has been set up. In other Unix-like operating systems, the packet capturing mechanism can be configured to allow non-privileged users to use it; if that is done, superuser privileges are not required
Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing. It uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), and a utility for comparing scan results (Ndiff).
Note: once these tools are installed, you can get help on using them by typing command –h (where command is the utility name like fping or nmap) or by typing man command (where command is the utility name like fping or nmap). Man allows accessing the command’s manual. Arrow keys allow navigating through the manual, and pressing q allows returning back to the command-line.
Use the scroll bar to read the information and answer the following questions:
Q1. Use the appropriate option to check the version of fping that you are using. Write down your answer.
Version: ____________________ Year that the version was developed / released: ________
Q2. Which of the following options allows testing the reachability of a list of IP addresses that are saved in the eiu.txt notepad file?
Q3. You want to use the fping utility to send ping messages to a target computer in an attempt to “overload” it with repetitive requests that could lead to some kind of denial of service. What fping option could do that? Answer: ______________
Q4. Type fping www.google.com followed by the ENTER key to check the reachability of the computer that hosts Google service. Is the target live (i.e. reachable)? Yes No.
The target should be live because Google didn’t block pinging their web server.
Q5. Now, use fping with the –l option to send repetitive ping requests to www.google.com. You may stop the pinging (by pressing Ctrl+C) after seeing 10 replies or so. What percentage of the ping requests to www.google.com get lost, meaning didn’t get replied to? Answer: _______________. Which of the following might explain the result?
The –l option of fping doesn’t work yet because the fping utility is still under development
There may be a bug in the fping utility
The network defense system at Google is configured to prevent pinging targets in a loop forever
None of the above. Explain: ____________________________________________________
Type fping 220.127.116.11 18.104.22.168 followed by the ENTER key. Based on the result, answer the following two questions.
Q6. Based on the result, which of the two computers is connected to the Internet? Write down its IP address: ____________________.
Q7. What are the possible reasons why you cannot reach the other target? (Choose all that apply)
The IP address is not assigned to any computer
A firewall is configured to block pinging that specific address
You cannot type a list of IP addresses from the command prompt with fping. You need to save the IP addresses need to be in a file like addresses.txt and use fping –f addresses.txt.
None of the above
Which of the following command would allow you to ping all computers which IP address begins with 139.67.14 and ends with any decimal number between 0 and 255? Read the fping help information. [Please, do not try the commands. Instead read the fping help to find out]
Type nmap -h followed by the ENTER key. If you get a message saying that nmap is not installed, install and run the utility as follow:
Note: You need administrative privileges to install an application. When working with terminals, typing sudo before any command allows you to run that command as an administrator.
Type sudo apt-get install nmap followed by the ENTER key
If asked for your password, type password followed by the ENTER key
If/When asked to confirm by Y/N, say Y
You should see the result indicating that the Hping program is installed
When you get the prompt, type nmap -h followed by the ENTER key again
You should get the syntax for nmap along with its options
To send a SYN packet to the computer that hosts Google web service and scan that computer in order to know what UDP/TCP ports are open, type nmap –sS www.google.com followed by the ENTER key. Note: Depending on how much time has passed since you used the sudo command, you may need to type sudo before the command you just typed. If needed, type the right command to get the result.
Now, type nmap –sS –v www.google.com followed by the ENTER key.
Q8. What does the –v option you added to the command allow in this case?
It displays the version of nmap being used
It activates verbosity, which means it makes the system show you the scanning activities as they happen.
None of the above. Explain: ___________________________________________________
Answer the following questions based on the result.
Q9. How many IP addresses are assigned to the target computer? _____________
Q10. Based on the result, which of the following are among the services hosted by the target computer? (Choose all that apply)
For this step, you may check the nmap help (copy in Appendix 1) to determine what option to use. Note that if you do not get a response from the target in a reasonable amount of time (few seconds), you should stop the scanning by pressing Ctrl+C. Perform a UDP scan on the 22.214.171.124 target in order to determine what UDP ports are open on the target computer. You may need to use the –v option to interactively see what is going on. Based on your try, write down, the correct command: _________________________________________________________
Perform an ACK scan on the 126.96.36.199 target. You may need to use the –v option to interactively see what is going on. This scan should work. But the defense system protecting the target may be strengthen by the time you try; which would lead to the scan not working. Answer the following questions based on the result you have got.
Q11. What is the host name of the target? _______________________________
Q12. How many ports were scanned? _______________
Q13. How many of the ports are filtered? ____________
Q14. You may read the information about ACK scan in the book (p.91) to answer this question. What does the result tell about the defense system protecting the target?
The filtering devices (if any) appear to be fooled because the scan packet went through
In a normal communication, the ACK packet should be sent after a SYN and a SYN/ACK are exchanged between the two parties
All of the above
Q15. You want to perform a scan of www.eiu.edu, but you are interested in scanning the target for only the following ports: 21 and 80. Which of the following commands would you type?
nmap –port 21 80 www.eiu.edu
nmap –p 21 80 www.eiu.edu
nmap –p 21,80 www.eiu.edu
nmap –P 80 21 www.eiu.edu
Use the information in Appendix 1 to answer the following questions.
You want to scan all open ports on computer with IP address 188.8.131.52 in order to get information on hosted services along with the versions of the software used to provide the service. What nmap command you may type? Write down the command:
You want to use nmap to scan a target computer, but you do not want to go further than determining if the target is online. Which of the following options would you use?
None of the above
You want to use nmap to scan a target computer in order to determine what IP protocols it support. Which of the following options would you use?
None of the above
Use nmap to scan the computer with the host name www.google.com to determine what protocols it supports. Based on the result, name two of the protocols it supports: ____________, _____________. How many open ports use protocols you can’t get information about because of filtering? Answer: ______________
You want to perform a scan and get information about the operating system installed on the target computer. Which of the following option would you use?
None of the above
You want to use nmap to perform target scans. You want to spoof your computer’s IP address in an attempt to avoid being blocked by firewalls and other devices in the defense system that protects the target. What option should you use? Answer: ______________.