Getting to Know Nmap

Activity 5-1
Introduction
Network Mapper (Nmap) is an essential tool for network reconnaissance and security auditing. It
is widely used by cybersecurity professionals to perform host discovery, port scanning, and
service enumeration (Lyon, 2009). This activity aims to provide hands-on experience with Nmap
by executing various scans on a target network while adhering to ethical guidelines.

nmap -h | less
This command provided an interactive list of available Nmap options, allowing navigation
through the help menu. The less command facilitated scrolling to examine different parameters.
three significant options for the Nmap command were identified:
1. -traceroute: Trace hop path to each host
2. -sL: List Scan - simply list targets to scan
3. -Pn: Treat all hosts as online -- skip host discovery
Performing a SYN Scan on a Target IP

Port 8090/tcp: Open and running the opsmessaging service.

999 other ports: Filtered (no response received).
The filtered ports indicate that either a firewall is blocking responses, or the host is configured
to ignore certain types of traffic (Lyon, 2009). Since only port 8090 was identified as open, it
suggests that the system is running a service associated with operations messaging, which is
commonly used for inter-service communication in distributed environments (Singh, 2022).
This scan demonstrates how SYN scanning provides stealthy reconnaissance capabilities,
allowing cybersecurity analysts to detect live services while minimizing detection by intrusion
detection systems (IDS)
Scanning a Different IP Address

Port 23/tcp: Open (Telnet service).

Port 53/tcp: Open (Domain Name System - DNS service).
Port 80/tcp: Open (HTTP web service).
997 other ports: Filtered (no response received).
Unlike the previous scan, which revealed only port 8090 (opsmessaging service) open, this
scan detected:
 Telnet (Port 23): A remote login service that can be a major security risk due to its lack
of encryption.
 DNS (Port 53): A key service for domain name resolution.
 HTTP (Port 80): Indicates the presence of a web server.
This significant difference in open ports suggests:
  192.168.100.1 is likely a network infrastructure device (e.g., a router or firewall) due
to the presence of Telnet and DNS services.
 The prior host (136.142.35.137) may have a stricter firewall configuration or different
operational services.
 Open Telnet (Port 23) raises security concerns, as it is an outdated protocol prone to
interception (Singh, 2022).
Security Implications
Port 80 being open indicates an accessible web interface, which could be vulnerable to web-
based exploits
Scanning a Range of IP Addresses
  Host 192.168.100.2 All 1,000 scanned ports were in ignored states, meaning no open
ports were detected.
 Host 192.168.100.3 All 1,000 scanned ports were filtered, meaning the system either
blocks traffic or has no accessible services
Comparison and Interpretation
 Host 192.168.100.1 is highly active with multiple open services, making it a potential
network infrastructure device (e.g., a router or a DNS server).
 Hosts 192.168.100.2 and 192.168.100.3 are either configured to ignore unauthorized
scanning attempts.
 Network Security Insight: The contrast in port responses suggests that network
segmentation and firewall configurations are in place to limit exposure.
Advantages of Range Scanning
 Efficiency: Scanning multiple hosts in a single command reduced execution time.
 Better Network Mapping: Revealed host-specific security policies.
 Potential Vulnerabilities Identified: Open Telnet and HTTP ports on 192.168.100.1
suggest possible security risks.
Formatting Output for better readability

Purpose of Using less

 Improved Readability: The less command helps paginate large scan outputs, preventing
terminal overflow.
 Easier Debugging: By scrolling, the user can pinpoint timeout issues and retransmission
errors.
  Faster Analysis: Allows for efficient review of long scan results without losing track of
previous lines.

Identifying SMTP or HTTP Services

Port 80 (HTTP): Open, indicating that a web service is running.

Indicates a web server is running, which might be hosting an administrative panel, website, or
web-based API.
Port 25 (SMTP): Filtered, the port is being blocked by a firewall, IDS, or network filtering rule.
SMTP is used for email transmission. The filtered state suggests that a firewall is preventing
direct access to this service.
If SMTP were open, it could indicate an active mail transfer agent (MTA) such as Postfix or
Exim, which could be vulnerable to spam relaying or brute-force attacks (Lyon, 2009).
Activity 5-2
Exploring the Nmap Manual Page
man nmap presents comprehensive explanations, allowing security analysts to explore:
 Port scanning techniques (-sS, -sT, -sU)
 Service detection and OS fingerprinting (-sV, -O)
 Nmap Scripting Engine (NSE) commands (-sC)
Executing a Script Scan (-sC)
Open Ports and Running Services
Port 23 (Telnet): Open – Indicates a remote login service that is outdated and vulnerable due to
lack of encryption.
Port 53 (DNS): Open – Suggests that this host could be running a DNS resolver or
authoritative name server.
Port 80 (HTTP): Open – Confirms an active web service.
HTTP Service Analysis
Website Title (http-title.nse): The web server does not have a defined site title.
Supported HTTP Methods (http-methods.nse): Only GET is supported, meaning the server
does not allow methods like POST, or DELETE, which could have security implications.
SSL Certificate Analysis
Common Name (CN): Huawei Technologies Co., Ltd.
Organization Name: Huawei Technologies Co., Ltd., based in Guangdong, China.
Public Key: RSA 2048-bit encryption.
Signature Algorithm: SHA-256 with RSA Encryption.
Validity Period: Not valid before December 5, 2014, and expires on December 4, 2024.
MD5 & SHA-1 Fingerprints were also captured.
The NSE script scan (-sC) provided detailed reconnaissance, uncovering vulnerabilities in
Telnet, SSL, and HTTP configurations.
Isolating Port 443 (HTTPS)

Port 443 (HTTPS) is closed indicating that no web service is running on this port. A firewall or
an access control list may be actively blocking external HTTPS connections.

Reason: "no-response", confirmed that Nmap did not receive an explicit rejection (RST packet)
or an acknowledgment (SYN-ACK packet).
This step demonstrates how Nmap’s --reason flag enhances network diagnostics and security
analysis (Lyon, 2009; Singh, 2022).
Conclusion
These techniques are crucial in ethical hacking, penetration testing, and cybersecurity
assessments, ensuring efficient and accurate network discovery (Graham, 2021).
 References
Graham, R. (2021). Network security testing with Nmap: Best practices and strategies.
Cybersecurity Press.
Lyon, F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network
Discovery and Security Scanning. Insecure.Org.
Singh, R. (2022). Cybersecurity operations and threat intelligence. Wiley.