The document is a presentation by Mohammed Akbar Shariff, a cybersecurity intern, covering network basics, the Metasploitable II virtual machine, and Nmap, a network mapping utility. It details various Nmap port statuses, scan types, and OS fingerprinting techniques, explaining how these tools are used in cybersecurity assessments. Additionally, it highlights the Nmap Scripting Engine for service enumeration and vulnerability detection.

1. NMAP
and
Metasploitable-II

2. About Me
Mohammed Akbar Shariff
Cyber Sec Intern – WICS
Graduating M.tech
www.linkedin.com/in/mohammed-akbar-shariff
@akbarshariffak

3. Agenda
• Basics of Network
• Metasploitable II
• Introduction to NMAP
• Port Status
• Scan Types
• Host Discovery
• OS Fingerprinting
• Nmap Scripting Engine

4. Basics of Netwoks
TCP Header

5. Three way Handshake…???

7. TCP Three way handshake

8. Metasploitable II
The Metasploitable virtual machine is an
intentionally vulnerable version of Ubuntu Linux
designed for testing security tools and demonstrating
common vulnerabilities.

9. What is NMAP?
• Network Mapper - Utility used to identify assets and map them in a
network.
• https://github.com/nmap/nmap (Current release is 7.50, 20 year old
project and active)

10. Why NMAP..??
• Perhaps I can ping sweep?
• How to know which IP’s are alive?
• There are only
• 65535(PORTS) *2 (TCP &UDP)*24 ( if class C)

11. Nmap Port Status
• OPEN
• CLOSED
• FILTERED
• OPEN|FILTERED

12. NMAP port “Status” - Open
•Open - SYN reached the end system, victim responded with
SYN+ACK and Completes the handshake.
Nmap -n -sT -p 80 192.168.56.104

13. NMAP port “Status” - Closed
• Closed - SYN reached the end system, responded with
RST+ACK. System is accessible and service is still not open
on victim. Nmap -n -sT -p 22 192.168.56.104

14. NMAP port “Status” - Filtered
• Filtered – Observed when a port does not respond on repeated tries.
Nmap -n -sT -p 445 192.168.56.105

15. Scan Types
nmap <options><scan type> <target>

16. NMAP Options
-iL <filename>: Pass a list of hosts.
-iR <number of Hosts>: Choose random targets.
Ex: nmap -Pn -sS -p 80 -iR 0 --open
-p <port ranges> : Port scanning, Only scan specified ports…. -p-
Host Discovery
-sL (List Scan): Simply lists each host of the network(s) specified.
-sn : No port scan and only ping scan
-Pn : Skip ping scan and treat all host to be live
-PS <portlist> : TCP SYN Ping
-n : No DNS resolution
-R : DNS resolution for all targets
-PE; -PP; -PM : ICMP Ping Types.
-PA <port list> : TCP ACK ping
-PU <port list> : UDP Ping

17. Nmap Scan Types
• -sP (Ping Sweep) – Performs ARP ping and ICMP echo request to determine system is alive.
• -sS (TCP SYN Scan) – Determines a system/port being alive by sending only SYN and
waiting for SYN-ACK
• -sU (UDP Scan) – Probes UDP detects system/port is alive when there is a UDP response +
ICMP packet Destination unreachable.
• -sT (TCP Connect Scan): Performs connection establishment using system call “connect”
• -sN (Null scan): Does not set any bits (TCP flag header is 0).
• -sF (FIN Scan): Sets just the TCP FIN bit.
• -sX (Xmas scan): Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas
tree.

18. OS Fingerprinting
• Nmap sends a series of TCP and UDP packets to the remote host and
examines practically every bit in the responses.
• Nmap compares the results to its nmap-os-db database of more than 2,600
known OS fingerprints and prints out the OS details if there is a match.
-O (Enable OS detection)

19. Nmap – service Version and Enumeration!
• Nmap-services database is constantly updated with services, finger
printing and banners to identify remote ports and operating systems.
• -sV - runs about ~30 Nmap Script Engine (.nse files) to identify and
enumerate the service that has been detected earlier.
• -sC – runs “default” ~200 Nmap Script Engine (.nse files) to identify
and enumerate the services and provide vulnerabilities identified.
Optionally can use - -script option.

20. Nmap service Enumeration!
• The Difference between the two in Action
TCP scan with Version
-sT + -sV = -sTV
Regular TCP scan

21. Nmap Scripting Engine(NSE) –What and Why?
• Nmap Script Engine, written in Lua.
• Sophisticated Version detection and OS detection.
• Example: smb-os-discovery.nse , http-cisco-anyconnect.nse …
• Vulnerability detection.
• Example: tls-ticketbleed.nse, sslv2-drown.nse,..
• Malware detection.
• Example: http-google-malware.nse..
• Vulnerability Exploitation.
• Example: smb-psexec.nse,..

22. NSE – what? where?
• -sC and --script uses NSE. There is a default set launched when no
option is given. https://nmap.org/nsedoc/categories/default.html

23. Nmap Enumeration technique
Notice how the service is not shell
Even though Banner shows Shell

24. Nmap Enumeration technique
So you need to use –sTV along for
Version grab

25. Nmap Output Formatting
Greppable
Regular Text
XML

26. References
• https://www.nmap.org
• https://null.co.in/
• http://insecure.org/

27. QUESTIONS??

28. THANK YOU