Nmap

To start the lab clone the 354 repo (if you haven't) and run the script for the lab.

git clone https://github.com/cs354/CS-354.git
bash CS-354/labs/nmap.bash

Introduction

Nmap is a port scanner included in many distributions of Linux and other UNIX like systems. It can be used to scan machines in a network in a variety of different ways.

Command Line Options

Nmap Usage

Nmap is run from the command line, so you run it just like all other command line programs. For the most part, nmap will run without needing root access, but for certain scans, you will have to be root. This is because nmap sometimes needs to create raw packets. You may see the error sudo: setrlimit(RLIMIT_CORE): Operation not permitted, you can ignore this.

Things To Try

Try scanning scanme.nmap.org with the different flags listed above from netsec-playground.cs.northwestern.edu. You can use sudo from netsec-playground. Look through the output and see how the scan results differ. A typical nmap command line looks like this: (~1 minute to run)

$ sudo nmap -A -sS -P0 -p 1-65535 scanme.nmap.org

Nmap allows you to easily scan an entire subnet. Before running this command, discuss with your partner which IP addresses it will scan. Be careful when scanning subnets, though. If you specify something like 165.124.184.178/1 by accident, you'll actually be scanning half of the internet. (~ 3 minutes)

$ sudo nmap -A -sS -P0 45.33.32.156/31

You can run the following scan without root privilege. Why?

$ nmap -sT -p 1-65535 scanme.nmap.org

Read the man page:

$ man nmap

Classwork

We've setup another container on your network for you to exploit. The script for this lab will have printed the hostname of the service in the README seciton. There is a service located in the port range 1400-1600, use nmap to find the port running the service, use netcat to make a connection to the port and see what's running, and then figure out how to connect to the service. The credentials are both root.

Inside the container you are trying to attack there is a file in the root directory @ /flag.txt. Show this to the TA to get credit.