Using NMAP for Scanning Networks.

Virtual Machines Needed:

● Windows Server 2019
● Kali Linux
● Parrot Security
● Bee-Box
● Another windows machine.
How to use NMAP:
● Start up your Kali Linux Virtual Machine.
● Log in to the machine using the Username: Kali and Password:
Kali.

● Next, select the "Applications" tab.

 ● Proceed by selecting "Information Gathering," followed by
clicking on "nmap."

● Next, the terminal window will appear as depicted in the

screenshot.

Performing host discovery:

ARP Ping Scan:
● Here we are targeting the windows server 2019 [192.168.1.8]
machine.
 ● In the terminal window, type the command “nmap -sn -PR
[Target IP Address]” (here, the target IP address is
192.168.1.8) and press Enter.
Note: -sn: disables port scan and -PR: performs ARP ping scan.

● Now after search, it indicates that the target Host is Up as

shown in the screenshot.

● The ARP ping scan probes ARP request to target host; an ARP
response means that the host is active.
UDP Ping Scan:
● In the terminal window, type command: “nmap -sn -PU
[Target IP Address]”, (here, the target IP address is
192.168.1.8) and press Enter.
● For UDP scanning you need to be in root terminal. Use
Command: “sudo su -” for switching into root terminal.

● The scan results appear, indicating the target Host is up, as

shown in the screenshot.

● Note: -PU: performs the UDP ping scan.

● The UDP ping scan sends UDP packets to the target host; a
UDP response means that the host is active. If the target host
is offline or unreachable, various error messages such as
“host/network unreachable” or “TTL exceeded” could be
returned.
ICMP ECHO Ping Scan:
● In the terminal window, type command:” nmap -sn -PE
[Target IP Address]”, (here, the target IP address is
192.168.1.8) and press Enter.

● The scan results appear, indicating the target Host is up, as

shown in the screenshot.

● Note: -PE: performs the ICMP ECHO Ping Scan.

● The ICMP ECHO ping scan involves sending ICMP ECHO
requests to a host. If the target host is alive, it will return an
ICMP ECHO reply. This scan is useful for locating active devices
or determining if the ICMP is passing through a firewall.
ICMP ECHO Ping Sweep:
● In the terminal window, type command: “nmap -sn -PE
[Target Range of IP Addresses]”, (Here the target range of the
IP address is 192.168.1.1/24)
● Here in this experiment, we will be using Windows server
2019 machine, Another windows machine and the parrot
Linux machine.
● Note: The ICMP ECHO ping sweep is used to determine the
live hosts from a range of IP addresses by sending ICMP ECHO
requests to multiple hosts. If a host is alive, it will return an
ICMP ECHO reply.

● The result will display the number of hosts are up within the
ranged IP .
ICMP Timestamp Ping Scan:
● In the terminal window, type command: “nmap -sn -PP
[Target IP Address]”, (here, the target IP address is
192.168.1.8) and press Enter. The scan results appear,
indicating the target Host is up, as shown in the screenshot.
● Note: -PP: performs the ICMP timestamp ping scan.
● Note: ICMP timestamp ping is an optional and additional type
of ICMP ping whereby the attackers query a timestamp
message to acquire the information related to the current
time from the target host machine.

Apart from the aforementioned network scanning techniques, you

can also use the
following scanning techniques to perform a host discovery on a
target network.
● ICMP Address Mask Ping Scan: This technique is an alternative
for the traditional ICMP ECHO ping scan, which are used to
 determine whether the target host is live specifically when
administrators block the ICMP ECHO pings.
Use Command: nmap -sn -PM [target IP address].
● TCP SYN Ping Scan: This technique sends empty TCP SYN
packets to the target host; ACK response means that the host
is active.
Use Command: nmap -sn -PS [target IP address].
● TCP ACK Ping Scan: This technique sends empty TCP ACK
packets to the target host; an RST response means that the
host is active.
Use Command : nmap -sn -PA [target IP address]
● IP Protocol Ping Scan: This technique sends different probe
packets of different IP protocols to the target host, any
response from any probe indicates that a host is active.
Use Command: nmap -sn -PO [target IP address]
Port and Service Discovery Scan:
● In the command terminal use command : nmap -sT -v[Target
IP address].

● Note : -sT : performs the TCP Connect/full open scan and -v:
enables the verbose output(include all hosts and ports in the
output).
● After hitting you will see the following results appearing as
shown in the screenshot.
● This displays all the open TCP ports and services running on
the target machine.
● It also displays the ports, protocol, state, service and version
of the scan.
● Now in the command terminal use command: nmap -sS -v
[Target IP Address]
● Note: -sS: performs the Stealth Scan/TCP half-open scan and
-v: enables the verbose output (include all hosts and ports in
the output).
● The following result appears as shown in the screenshot.
● In the command terminal, type the command: nmap -sX -v
[Target IP Address]
● -sX: performs the Xmas scan and -v: enables the verbose
output (include all hosts and ports in the output).
● Note: Xmas scan sends a TCP frame to a target system with
FIN, URG, and PUSH flags set. If the target has opened the
port, then you will receive no response from the target
system. If the target has closed the port, then you will receive
a target system reply with an RST.
● Using this command shows the following result.
● In the Command field, type the command : nmap -sM -v
[Target IP Address]
● Note: -sM: performs the TCP Maimon scan and -v: enables the
verbose output (include all hosts and ports in the output).
● In the TCP Maimon scan, a FIN/ACK probe is sent to the
target; if there is no response, then the port is Open |
Filtered, but if the RST packet is sent as a response, then the
port is closed.
● After scanning it shows the following results as shown in the
screenshot.

● In the Command field, type the command: nmap -sA -v

[Target IP Address] and hit enter.
● Note: -sA: performs the ACK flag probe scan and -v: enables
the verbose output (include all hosts and ports in the output).
● The scan results appear, displaying that the ports are filtered
on the target machine, as shown in the screenshot.
● Now for performing Null Scan along with time template and
aggressive options enabled.
● Note: -sN for null scan -A for aggressive Scanning and -T4
fastest time template and -T1 is the slowest.
● Now use command : nmap -sN -T4 -A -v [Target IP]
● Here we will be taking the target IP as the IP of the bee-box
machine.[192.168.1.10]
● Using this command the following result will be shown in the
screenshot.
● This fetches a lot of information like state,
service,servers,protocols,OS and many other information.
● We can even store the fetched file in a text file just adding
command “-oN” with the previous command.
● New command : nmap -sN -T4 -A -v [Target IP] -oN
filename.txt

● Using this command will show the following result.

● Now for viewing the file created use command : “ls”

● Then use command: “nano filename.txt” to view the file.

After using this command, the following window appears.

● Now In the Command field, type the command: nmap -sV

[Target IP Address] and hit enter.
● This command helps in searching the service version of the IP
address , Here the target ip address is the [IP address of the
bee-box(192.168.1.10)]
● Using the command the result is as follows:
● This command displays information such as Host Status,
Addresses, Operating System, Ports used, OS Classes, etc.
associated with the selected host.
● Now In the Command field, type the command: nmap -sF -p-
-T4 [Target IP Address], Here the target IP address is the IP of
Bee-Box machine (192.168.1.10) and hit enter.
● Note: -sF for TCP FIN Scan, -p- for scanning all 65535 TCP
Ports, -T4 means timing template to “aggressive”.
● This command will scan all TCP ports on the target IP address
(192.168.1.10) using a FIN scan, with an aggressive timing
template as shown in the screenshot.
● Now In the Command field, type the command:” nmap -sS
-T5 [Target IP Address] --script firewall-bypass”.
● Here the target IP address is the IP of Bee-Box machine
(192.168.1.10)
● Note: -sS: This flag specifies a TCP SYN scan. It sends SYN
packets to the specified ports to determine their state. -T5:
This option sets the timing template to "insane."--script
firewall-bypass: This option tells Nmap to run the script
named "firewall-bypass." Nmap has a variety of built-in scripts
that perform various tasks, and the "firewall-bypass" script
might attempt to bypass certain types of firewalls or filters by
using various techniques. These scripts can be used for
security testing and exploration of network defences.

● Now in the command field type command: “nmap

-p135,139,445 -sV [Target IP Address]”
● Here the target IP address is the IP of Bee-Box machine
(192.168.1.10)
● This command will perform a scan on the IP address
192.168.1.10, specifically targeting ports 135 (RPC), 139
 (NetBIOS), and 445 (SMB) while attempting to identify the
versions of services running on those ports. This could help
identify the types and versions of services that might be
vulnerable to certain exploits or security issues.
● ” -p135,139,445”: This flag specifies the ports to be scanned.
In this case, ports 135, 139, and 445 are being scanned. These
ports are commonly associated with Microsoft networking
services such as SMB (Server Message Block). -sV: This flag
enables version detection while scanning. It attempts to
determine the version of the service running on the open
ports.

OS discovery using nmap script engine:

● In the terminal window, type the command: nmap -- script
smb-os-discovery.nse [Target IP Address] (here, the target
machine is Windows Server 2019 [192.168.1.8]) and press
Enter.
● Note: -- script: specifies the customized script and
smb-os-discovery.nse: attempts to determine the OS,
computer name, domain, workgroup, and current time over
the SMB protocol (ports 445 or 139).
● The scan results appear, displaying the target OS, computer
name, NetBIOS computer name, etc. details under the Host
 script results section.

● Here we can understand and tell that this is a windows

machine.
Scan beyond IDS/Firewall using various evasion techniques:
● Here we will be needing two virtual machines the Windows
server 2019 and Kali-Linux.
● Now power on the windows server 2019.By Default
“Administrator” profile is selected type “Pa$$w0rd” to login.
● Navigate to Control Panel > System and Security > Windows
Defender Firewall > Turn Windows Defender Firewall on or off,
enable Windows Defender Firewall and click OK, as shown in
the screenshot.
● Minimize the control panel window and click on Search icon
on the Desktop.Type Wireshark in the search field, the
Wireshark appears in the results. Click on Wireshark to launch
it.
● The Wireshark Network Analyzer window appears, Start
capturing packets by double clicking the available ethernet or
interface . [Here – Ethernet0]

● Now open the Kali-Linux Machine.

● In the login page use Username: kali and password: kali to
login to the machine.
● Now click on the terminal icon to open a terminal window.

● Now use command : “sudo su –“ in the terminal for running

the programs as root user.
● In the terminal window type command : “nmap -f [Target
Machine’s IP]”(Here the target machine is the windows server
2019 machine[192.168.1.8])
● Note: -f switch is used to split the IP packet into tiny fragment
packets.

● After this when you switch to the wireshark then you will
observe fragmented packets captured by the wireshark. As
shown in the screenshot.
● Now switch to the Kali-Linux virtual machine.
● In the terminal windows type command : nmap -g 80 [Target
IP Address]
● Target IP Address = 192.168.1.8
● Note: In this command, you can use the -g or -- source-port
option to perform source port manipulation.
● Note: Source port manipulation refers to manipulating actual
port numbers with common port numbers to evade
IDS/firewall: this is useful when the firewall is configured to
allow packets from well-known ports like HTTP, DNS, FTP, etc.
● Now hit enter to view the results.
● Now the result appears displaying all open TCP ports along
with the name of the services running on the port.
● Switch to the Windows server 2019 virtual machine (target
machine). In the Wireshark window, scroll-down and you can
observe the TCP packets indicating that the port number 80 is
used to scan other ports of the target host, as shown in the
screenshot.

● Now again switch to the Kali-Linux Virtual machine.

● Now in the terminal type command : “nmap -mtu 8 [Target IP
Address]” and press enter.
● Note: In this command, -mtu: specifies the number of
Maximum Transmission Unit (MTU) (here, 8 bytes of packets).
● Note: Using MTU, smaller packets are transmitted instead of
sending one complete packet at a time. This technique evades
the filtering and detection mechanism enabled in the target
machine.

● Switch to the virtual Windows server 2019 machine (target

machine). In the Wireshark window, scroll-down and you can
observe the fragmented packets having maximum length as 8
bytes, as shown in the screenshot.
● Now again switch to the Kali-Linux Machine
● Now, type command: “nmap -D RND:10 [Target IP Address]”
(here, target IP address is 192.168.1.8) and press Enter.
● Note: In this command, -D: performs a decoy scan and RND:
generates random and non-reserved IP addresses (here, 10).
● By using this command, Nmap automatically generates a
random number of decoys for the scan and randomly
positions the real IP address between the decoy IP addresses.

● Switch to the Kali-Linux Machine.

● In the terminal window type command : “nmap -sT -Pn --
spoof-mac 0 [Target IP Address]” (here, target IP address is
192.168.1.8) and press Enter.
● Note: In this command -- spoof-mac 0 represents randomizing
the MAC address, -sT: performs the TCP connect/full open
scan, -Pn is used to skip the host discovery.
● Note: MAC address spoofing technique involves spoofing a
MAC address with the MAC address of a legitimate user on
the network. This technique allows you to send request
packets to the targeted machine/network pretending to be a
legitimate host.
● Switch to the Windows 11 virtual machine (target machine).
In the Wireshark window, scroll-down and you can observe
the captured TCP, as shown in the screenshot.