To start the lab clone the 354 repo (if you haven't) and run the script for the lab.
git clone https://github.com/cs354/CS-354.git bash CS-354/labs/nmap.bash
Nmap is a port scanner included in many distributions of Linux and other UNIX like systems. It can be used to scan machines in a network in a variety of different ways.
Command Line Options
-AEnables OS detection and Version detection, Script scanning and Traceroute
-P0Treat all hosts as online (skip host discovery)
-sSTCP SYN scan
-sTTCP connect scan
-sATCP ACK scan
-sWTCP window scan
-sMTCP maimon scan
-sNTCP null scan
-sFtcp FIN scans
-sXtcp xmas scans
-sXtcp xmas scans
-p <port ranges>Only scan specified ports
Nmap is run from the command line, so you run it just like all other command line programs. For the most part,
nmap will run without needing root access, but for certain scans, you will have to be root. This is because
nmap sometimes needs to create raw packets. You may see the error
sudo: setrlimit(RLIMIT_CORE): Operation not permitted, you can ignore this.
Things To Try
scanme.nmap.org with the different flags listed above from
netsec-playground.cs.northwestern.edu. You can use sudo from netsec-playground. Look through the output and see how the scan results differ. A typical
nmap command line looks like this: (~1 minute to run)
$ sudo nmap -A -sS -P0 -p 1-65535 scanme.nmap.org
Nmap allows you to easily scan an entire subnet. Before running this command, discuss with your partner which IP addresses it will scan. Be careful when scanning subnets, though. If you specify something like 184.108.40.206/1 by accident, you'll actually be scanning half of the internet. (~ 3 minutes)
$ sudo nmap -A -sS -P0 220.127.116.11/31
You can run the following scan without root privilege. Why?
$ nmap -sT -p 1-65535 scanme.nmap.org
Read the man page:
$ man nmap
We've setup another container on your network for you to exploit. The script for this lab will have printed the hostname of the service in the README seciton. There is a service located in the port range 1400-1600, use nmap to find the port running the service, use netcat to make a connection to the port and see what's running, and then figure out how to connect to the service. The credentials are both root.Inside the container you are trying to attack there is a file in the root directory @ /flag.txt. Show this to the TA to get credit.
Copyright 2008 the following:
Sam McIngvale email@example.com
Jim Spadaro firstname.lastname@example.org
Whitney Young email@example.com
All rights reserved. Permission to reproduce this document in whole or in part must be obtained from the authors.