CSC 482/582 Assignment #6 Port Scanning Due: December 9, 2010 In this lab, students will study how port scans work using the nmap and the network protocol analyzer. These tools are an essential part of a security profes- sional’s toolkit, providing powerful capabilities to verify the security of networks.

1 Installing the Software

You can either install these tools directly or use a live CD, such as Backtrack 4, that already has the tools installed. See assignment #4 for more information about installing Backtrack 4. To install the tools directly:

1. nmap Download nmap from http://nmap.org/download.html and follow the instructions on that page to install it.

2. wireshark Download one of the installers from http://www.wireshark.org/download.html, then follow the instructions to install it.

Note that you will need to have administrative rights to run these programs.

2 TCP connect scan

Start Wireshark and begin capturing network traffic. If your PC is on a noisy network, you may need to configure a Wireshark filter to only capture packets coming from or destined to your PC’s IP address. Scan kosh.nku.edu with nmap’s TCP connect scan (the -sT option). Once the scan is complete, stop Wireshark’s network capturing activities and save the captured packets at tcp-connect-scan.. Include the nmap output in your lab report, along with an explanation of the results. For each port, note the state of the port (open, closed, or filtered) and explain what that means. Describe what type of software is most likely run on this port and look up one vulnerability that has been found in that software recently in the National Vulnerability Database (http: //web.nvd.nist.gov/view/vuln/search.) Include the vulnerability’s CVE identifier along with a brief description.

1 3 SYN stealth scan

Begin capturing network traffic with Wireshark. Scan kosh.nku.edu with nmap’s SYN stealth scan (the -sS option). Once the scan is complete, stop Wireshark’s network capturing activities and save the captured packets at syn-scan.pcap. Include the nmap output in your lab report, along with an explanation of the results. For each port, note the state of the port (open, closed, or filtered) and explain what that means. Describe what type of software is most likely run on this port and look up one vulnerability that has been found in that software recently in the National Vulnerability Database (http: //web.nvd.nist.gov/view/vuln/search.) Include the vulnerability’s CVE identifier along with a brief description.

4 Comparing the network captures

Analyze the captured packets from the TCP connect scan. How does nmap determine which ports are open and which are closed? Note that most ports probed by nmap are closed, and that most closed ports are not listed in the nmap output you analyzed above. How many packets are returned by an ? How many by a closed port? How do header flags differ in the packets returned by open ports as compared to closed ports? How does the number of packets sent by nmap differ between open and closed ports? Analyze the captured packets from the SYN stealth scan. What are the differences between this port scan and TCP connect scan in terms of both number of packets and header flags? Answer for both closed and open ports. How does the number of packets sent by nmap differ between open and closed ports for the SYN stealth scan?

5 Deliverables

For this assignment, you need to turn in a hardcopy of your lab report in class and submit an electronic attachment named a6.zip by e-mail. Your lab report should have clearly labeled sections, matching the sections above, with answers to the questions above in the appropriate sections. Your electronic assignment submission should include:

1. Your lab report in Rich Text Format, named a6-report.rtf. 2. A wireshark packet capture of the TCP connect scan named tcp-connect-scan.pcap. 3. A wireshark packet capture of the SYN stealth scan named syn-scan.pcap.

2