Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. Cyber Security Associates Limited, will not be held responsible for any criminal charges brought against any individuals misusing the information in these projects to break the law.
Please ensure you are using the latest SD Card image which is available here.
This project aims to provide an insight into Nmap and how it provides valuable information on a target network and specific target machines. This tool is typically used in Phase 2 of the 5 Phases of “Ethical” Hacking.
Nmap is a powerful and versatile tool used in penetration testing, which when configured properly can provide a range of information about a target network and target machine. It is possible to use Nmap to target a network or subnet of a network depending on the target and where in the network the device that is scanning is positioned. Moreover, Nmap can be used to map a network by measuring the number of jumps between the scanning machine and its neighbours, providing valuable intelligence on the structure of a network for an attacker. Nmap can also provide intelligence about the ports that are open on a target machine and the service, its version and a lot of more information when used properly.
By default, a normal Nmap scan without any flags uses TCP and will scan the top 1000 most popular ports (stress to the students that there are 65535 including port 0, and each can be used for a different service or reconfigured to run a different service than usual). This kind of scan creates a lot of network traffic and if the target is running a more advanced firewall or an Intrusion Detection System (IDS) and/or an Intrusion Prevention System (IPS) they will be caught early and blacklisted from the network. It is possible to renew an IP address (restart the router) but it is disruptive, and the best practice is to use Nmap carefully, so it doesn’t generate a lot of traffic.
Transfer Control Protocol (TCP) is a standard that defines how 2 machines will talk to each other. This process starts with a 3-way handshake between the machines which then passes packets between the machines in a controlled order, which is why it creates increased network traffic. This connection also exchanges significant information between the 2 devices such as IP addresses, MAC addresses and data requirements. By adjusting how Nmap works it is possible to stop the connection and reveal limited information about the attacker’s machine and thus generate less network traffic.
TCP 3-Way Handshake
Make sure the students understand the flags that are outlined in the student worksheet, these flags introduce the total number of flags available in Nmap:
-sS is the flag to prevent the complete TCP 3-way handshake completing.
-Pn stops host discovery which reveals the IP addresses of the attacker’s device and every other IP address on the network.
-sC runs a series of scripts against the target machine and will return a lot of information about the services available.
Stress to the students that there are “easier” tools to use but allow less scope for the students to learn how the tools work. Alongside the understanding of Nmap, the understanding of how network protocols work is also important, this helps anyone interested in IT and cyber security to really understand a target and how to get to it.
Suggested Year Group
This project is designed to be completed by students over the age of 16. There are a range of subjects the students need at least an initial exposure to, including networking protocols, Kali Linux and the 5 stages of “Ethical” Hacking.
Stress the explicit nature of the disclaimer on the student worksheet;
Instruct the students about Nmap;
Introduce how Nmap can be used to discover other devices on a network and how to do a port scan on a specific machine;
Provide the students time to practice with the tools they are learning about in this project.
Component Number (Peli Case)
(Base) 4 & 5
(Level 1) 3
(Level 1) 3
(Level 1) 3
(Level 1) 5
(Level 1) 1
Component Number (Box Case)
Raspberry Pi + Case
Kali SD Card
Power Supply Unit
Stress to the students that this project is for educational purposes only, and that this information should not be used outside the classroom and should NEVER be used for malicious purposes. There are 1,000,000’s of automated scanners on the internet that scan devices every day, collecting information for governments, organisations (both legal and illegal) for vulnerable devices. Only scan the devices within your own network but understanding how different devices work is important to then know how to strengthen you network and reduce the risk of an attack.