Unit I • Active Reconnaissance

Active Reconnaissance with Nmap & Service Enumeration

Discover hosts, open ports, running services, and operating systems using Nmap. Learn service enumeration techniques including SMB, SNMP, banner grabbing, and Metasploit auxiliary modules for comprehensive network reconnaissance.

What is Nmap?

Definition

Network Mapper (Nmap) is a powerful open-source tool for network discovery and security auditing. It sends packets to target hosts and analyzes responses to map network topology and identify services.

Why Use Nmap?

Nmap helps penetration testers identify live hosts, discover open ports, detect running services, determine OS versions, and find potential vulnerabilities in target networks during reconnaissance phase.

Key Features

🔍

Host Discovery

Identify which hosts are online using ping scans, ARP requests, and protocol-specific probes

🚪

Port Scanning

Discover open, closed, and filtered ports using various scan techniques (TCP, UDP, SYN, etc.)

🔧

Service Detection

Detect running services, application versions, and sometimes even specific software builds

💻

OS Detection

Fingerprint operating systems using TCP/IP stack implementation differences

Basic Nmap Syntax

nmap [Scan Type] [Options] [Target Specification]

Example:

nmap -sS -p 1-1000 192.168.1.1

Meaning:

SYN scan ports 1-1000 on target

Lab: Active Reconnaissance with Nmap & Service Enumeration

Metasploitable2 VM Scanning Exercise

Practice Nmap scanning techniques on the intentionally vulnerable Metasploitable2 virtual machine. This lab environment is designed for learning penetration testing tools safely.

Lab Objectives:

  • Discover all open ports on Metasploitable2 VM
  • Identify running services and their versions
  • Detect the operating system
  • Run vulnerability detection scripts
  • Enumerate SMB shares and users
  • Grab service banners with Netcat/Telnet
  • Use Metasploit auxiliary modules
  • Document findings in a table format
  • Save results in multiple formats

Required Tools:

Kali LinuxNmapenum4linuxsmbclientsnmpwalkNetcatTelnetMetasploitMetasploitable2 VM

Step-by-Step Commands

# 1. Find Metasploitable2 IP nmap -sn 192.168.1.0/24
# 2. Full port scan nmap -p- [TARGET_IP]
# 3. Service detection nmap -sV [TARGET_IP]
# 4. OS detection nmap -O [TARGET_IP]
# 5. Vulnerability scan nmap --script vuln [TARGET_IP]
# 6. SMB enumeration enum4linux -a [TARGET_IP]
# 7. SNMP enumeration snmpwalk -c public -v1 [TARGET_IP]
# 8. Banner grabbing nc -nv [TARGET_IP] 22
# 9. Metasploit modules msfconsole -q -x "use auxiliary/scanner/smb/smb_version; set RHOSTS [TARGET_IP]; run; exit"
# 10. Save all results nmap -oA metasploitable_scan -sV -O [TARGET_IP]

Expected Findings

Multiple Web Services

Apache, Tomcat, and other web servers on different ports

Database Services

MySQL, PostgreSQL, and other databases exposed

Vulnerable Services

Backdoors, weak configurations, and known vulnerabilities

OS Detection

Linux-based system with specific kernel version

SMB Shares

Anonymous access to shares like /tmp and /www

SNMP Access

Public community string with system information

Findings Table Template

Document your enumeration results in this format:

+--------+-----------+------------------+------------------+ | Port   | Service   | Version          | Potential Risk   | +--------+-----------+------------------+------------------+ | 21     | ftp       | vsFTPd 3.0.3     | Anonymous access | | 22     | ssh       | OpenSSH 7.6p1    | Weak crypto      | | 23     | telnet    | Linux telnet     | Clear text       | | 80     | http      | Apache 2.4.29    | Web vulns        | | 445    | smb       | Samba 3.0.20     | Share access     | | 161    | snmp      | NET-SNMP         | Info disclosure  | +--------+-----------+------------------+------------------+

Key Takeaways

  • 1. Host discovery identifies online targets before port scanning
  • 2. SYN scans are stealthier than TCP connect scans
  • 3. Version detection reveals specific software and versions
  • 4. OS fingerprinting identifies target operating systems
  • 5. NSE scripts automate reconnaissance and vulnerability detection
  • 6. SMB enumeration reveals shares, users, and domain information
  • 7. SNMP enumeration provides system information via community strings
  • 8. Banner grabbing captures service versions and configurations
  • 9. Metasploit auxiliary modules automate service enumeration
  • 10. Document findings in structured tables for reporting
  • 11. Save scan results in multiple formats for analysis and reporting
  • 12. Always scan only authorized targets in controlled environments