Introduction to System Security

Northwestern CS, Winter Quarter 2023

Nmap

To start the lab clone the 354 repo (if you haven't) and run the script for the lab.

git clone https://github.com/cs354/CS-354.git
bash CS-354/labs/nmap.bash

Introduction

Nmap is a port scanner included in many distributions of Linux and other UNIX like systems. It can be used to scan machines in a network in a variety of different ways.

Command Line Options

• -A Enables OS detection and Version detection, Script scanning and Traceroute
• -P0 Treat all hosts as online (skip host discovery)
• -sS TCP SYN scan
• -sT TCP connect scan
• -sA TCP ACK scan
• -sW TCP window scan
• -sM TCP maimon scan
• -sN TCP null scan
• -sF tcp FIN scans
• -sX tcp xmas scans
• -sX tcp xmas scans
• -p <port ranges> Only scan specified ports

Nmap Usage

Nmap is run from the command line, so you run it just like all other command line programs. For the most part, nmap will run without needing root access, but for certain scans, you will have to be root. This is because nmap sometimes needs to create raw packets. You may see the error sudo: setrlimit(RLIMIT_CORE): Operation not permitted, you can ignore this.

Things To Try

Try scanning scanme.nmap.org with the different flags listed above. Look through the output and see how the scan results differ. A typical nmap command line looks like this: (~1 minute to run)

$ nmap -A -sS -P0 -p 1-65535 scanme.nmap.org

Nmap allows you to easily scan an entire subnet. Before running this command, discuss with your partner which IP addresses it will scan. Be careful when scanning subnets, though. If you specify something like 165.124.184.178/1 by accident, you'll actually be scanning half of the internet. (~ 3 minutes)

$ nmap -A -sS -P0 45.33.32.156/31

You can run the following scan without root privilege. Why?

$ nmap -sT -p 1-65535 scanme.nmap.org

Read the man page:

$ man nmap

Classwork

We've setup another container on your network for you to exploit. The script for this lab will have printed the hostname of the service in the README seciton. There is a service located in the port range 1400-1600, use nmap to find the port running the service, make a connection to the port and see what's running, and then figure out how to connect to the service. The credentials are both root.

Inside the container you are trying to attack there is a file in the root directory @ /flag.txt. Take a screenshot of the content in flag.txt and submit on canvas.

Copyright 2008 the following:
Sam McIngvale sam.mcingvale@u.northwestern.edu
Jim Spadaro j-spadaro@northwestern.edu
Whitney Young wbyoung@u.northwestern.edu
All rights reserved. Permission to reproduce this document in whole or in part must be obtained from the authors.