Curriculum
Course: Cyber Security
Login

Curriculum

Cyber Security

Text lesson

CS Mapping & Port Scanning

To effectively defend a network, it’s vital to understand what needs protection through asset management, which relies on network mapping to identify active systems. Awareness of exposed assets and hosted services is crucial for anyone looking to secure their network.

Nmap – The Network Mapper

Nmap has long been regarded as the standard port scanner for both network engineers and security professionals. It can be utilized to identify assets for both attack and defense purposes.

Network Mapping

One method to identify active hosts on the network is to send a ping, or ICMP Echo Request, to all IP addresses within the network. This process is commonly known as a Ping Sweep.

network mapping

This method is not very effective for discovering assets, as systems may ignore incoming pings due to firewalls, either network-based or host-based (installed on the individual system).

A more effective approach is to send various types of packets to elicit responses that indicate whether a system is active. For instance, Nmap may send the following packets to provoke a reply:

  • ICMP Echo Request
  • TCP SYN packet to port 443
  • TCP ACK packet to port 80
  • ICMP Timestamp Request

TCP requires a three-way handshake before communication, but Nmap bypasses this with a TCP ACK packet to port 80, used to trigger responses from the target system. Nmap needs high-level privileges, like root or admin, to send such packets, boosting its accuracy over other port scanners.

Using the -Pn flag disables network mapping, treating all IPs as active and directly starting port scanning. Always get permission before using Nmap in corporate environments to avoid policy violations.

  • Download Nmap from https://nmap.org. and ensure you select the version compatible with your operating system.
  • Install Nmap and open the tool from a command line terminal.
  • Identify your local IP address and subnet.
  • Run Nmap to scan your network and see what systems it can detect with the command: nmap -vv IP/netmask.

The two -v flags enable verbose output, making the scanning process more interesting to observe.

img_nmap-scan

ARP Scan

The ARP protocol operates within a LAN, but if the hosts you want to discover are on the LAN, we can utilize this protocol to identify systems on the network. By systematically iterating through all available IP addresses on the LAN using ARP, we aim to prompt systems to respond.

The scan is performed as follows:

Eve: Please Provide Mac Address of system 192.168.0.1
Eve: Please Provide Mac Address of system 192.168.0.2
Eve: Please Provide Mac Address of system 192.168.0.3
Eve: Please Provide Mac Address of system 192.168.0.4
Eve: Please Provide Mac Address of system 192.168.0.5-254
Default Gateway: 192.168.0.1 is me and my MAC Address is AA:BB:CC:12:34:56
Bob: 192.168.0.3 is me and my MAC Address is: BB:CC:DD:12:34:56
Alice: 192.168.0.4 is me and my MAC Address is: CC:DD:EE:12:34:56
Note: ARP scanning is a straightforward and effective method for discovering hosts on the LAN, but it does not work for hosts outside the LAN.