Part One Lab
Lab 5.1 - Inventory
Objectives:
Inspect the results of Nmap active scanning to generate an inventory.
Compare a previous inventory with a current inventory and determine new systems and services.
Provide hands-on experience with Zenmap and ndiff.
Challenges:
1. Inventory
Use Zenmap to load /labs/inventory/new-inventory.xml, which is an nmap XML file containing the results of a previous active inventory scan. Note all discovered host IP addresses and their operating systems.
Some Nmap data may indicate a range of OSes, while other data may be more specific. Use all available data and be as specific as possible.
2. New hosts
Compare the results of your scan with the previous inventory scan available in the Sec-511-Linux VM at /labs/inventory/old-inventory.xml.
3. New services discovered on previously seen hosts:
One host is running an additional service since the previous scan. Identify that service.
Let's run Zenmap.
Let's go to Scan > Open Scan, then click the "File System" icon on the left, select the "labs" directory, then "inventory," and choose /labs/inventory/new-inventory.xml. Finally, click "Open."
The icons on the left show that 10.5.12.49 is running OpenBSD, while 10.5.12.25 and 10.5.12.202 are running Linux. The Zenmap results indicate that 10.5.12.20 and 10.5.12.183 are Windows machines (likely ranging from Windows 7/2008 to Windows 10). Let's check the host script results for the specific versions.
Let's repeat the same steps for the IP address 10.5.12.183.
Also let's gather more information about the Linux system at 10.5.12.25.
We can also gather additional details for the Linux system at 10.5.12.202.
Now, let's compare the results of the current inventory scan with the previous scan, which can be found in the Sec-511-Linux VM at /labs/inventory/old-inventory.xml.
Let's run ndiff in a terminal window, comparing /labs/inventory/old-inventory.xml to /labs/inventory/new-inventory.xml:
Note: A "+" indicates that the results are present in /labs/inventory/new-inventory.xml but not in /labs/inventory/old-inventory.xml. A "-" indicates the opposite.
The results show that 10.5.12.183 is a newly identified host that was offline during the initial scan.
The results show that 10.5.12.202 was online during both instances and is currently running an Apache HTTP server on port 80.
Please note the following entries:
"Filtered" indicates that no response was received to the TCP SYN packet sent during the port scan. "Closed" means the host responded with an RST/ACK to the TCP SYN packets. This also suggests that a firewall was active on 10.5.12.202 during the previous scan but was disabled during the current scan.
Inventory:
10.5.12.20
Windows 8.1
10.5.12.25
Ubuntu Linux
10.5.12.49
OpenBSD 5
10.5.12.183
Windows 7 Professional
10.5.12.202
Centos Linux (kernel: 2.6 or 3)
New Hosts:
10.5.12.183
Windows 7 Professional
New services identified on previously observed hosts:
10.5.12.202
Apache httpd 2.2.15 (TCP port 80)
Last updated