Week 3 graded lab. First lab with active scanning. Authorized lab network only.
Learning objectives
- Conduct a broad port-discovery scan with Masscan across the authorized IP range
- Follow up with targeted service enumeration using Nmap
- Apply service-specific enumeration tools (enum4linux, smbmap, ssh-audit, ftp client)
- Produce a structured host inventory suitable for use in the vulnerability analysis phase
Authorization
Authorized target: The lab network range assigned at the start of this lab (instructor-assigned RFC 1918 range). This range contains your Kali VM and any intentionally vulnerable VMs set up for this course.
Not authorized: Any IP outside the stated lab range. Before running Masscan or Nmap, verify your lab IP assignment and confirm the CIDR range with your instructor. Scanning outside the authorized range is an ethical and potential legal violation. Do not proceed if you are uncertain about the scope.
Important: Set your Kali network adapter to Host-Only for this lab. This physically constrains your scans to the lab network.
Phase 1: Broad discovery (Masscan)
Run Masscan across the full TCP port range of the lab network to discover which hosts are live and which ports are open. The --rate parameter controls packets per second; the value below is conservative for a lab environment.
# Record your authorized lab range:
export LAB_RANGE="192.168.x.x/24" # replace with your assigned range
# Run Masscan:
sudo masscan -p1-65535 $LAB_RANGE --rate=500 -oL masscan-output.txt
# Review the output:
cat masscan-output.txt
Document: Which IP addresses responded? On which ports? Save the full masscan-output.txt as an appendix to your lab report.
Phase 2: Targeted service enumeration (Nmap)
For each live host discovered in Phase 1, run a targeted Nmap scan combining version detection and the default script set. Use the open ports discovered by Masscan to make the scan faster.
# Example: host at 192.168.x.20 had ports 21, 22, 80, 139, 445, 3306 open:
nmap -sV -sC -p 21,22,80,139,445,3306 192.168.x.20 -oA nmap-192.168.x.20
# For any host where you want to confirm nothing was missed:
nmap -sV -sC -p- 192.168.x.20 -oA nmap-full-192.168.x.20
# (Full -p- scan is slow; use only on a host of high interest)
Run this for every live host. Save the Nmap output files (.nmap, .xml, .gnmap) as appendices.
Document for each host:
- IP address and hostname (if resolvable)
- Nmap OS guess and confidence percentage
- Every open port, its service name, and its version string
Phase 3: Service-specific enumeration
For each service category present in the scan results, run the service-specific enumeration tool.
SMB / Samba (ports 139, 445)
# enum4linux: shares, users, groups, password policy via null session
enum4linux -a <host-ip>
# smbmap: share enumeration with access level (R/W/None per share)
smbmap -H <host-ip>
# Nmap SMB scripts:
nmap --script=smb-security-mode,smb-vuln-ms17-010 -p 445 <host-ip>
Note: On Metasploitable 2, null session SMB enumeration reveals users, shares, and the password policy without any credentials.
SSH (port 22)
# Banner grab:
nc -v <host-ip> 22
# SSH algorithm audit:
ssh-audit <host-ip>
# Note: weak ciphers (arcfour, DES), weak MACs (MD5), and old key exchange (diffie-hellman-group1-sha1) are findings
FTP (port 21)
# Test anonymous login:
ftp <host-ip>
# At the Name prompt: anonymous
# At the Password prompt: any email address
# If logged in: run 'ls' to list the root directory; run 'get <file>' to retrieve a file
# Nmap FTP scripts:
nmap --script=ftp-anon,ftp-syst -p 21 <host-ip>
HTTP / HTTPS (port 80, 443, 8080)
For this lab, limit web service enumeration to the HTTP response headers and the Nmap http-title script. Full web recon is Week 4.
# HTTP headers:
curl -I http://<host-ip>
# Nmap HTTP scripts:
nmap --script=http-title,http-headers,http-methods -p 80 <host-ip>
MySQL / PostgreSQL / MSSQL (ports 3306, 5432, 1433)
# Attempt connection with default/blank credentials:
mysql -h <host-ip> -u root -p # try empty password
# Nmap database scripts:
nmap --script=mysql-info,mysql-empty-password -p 3306 <host-ip>
Other services
For any other service type present in your scan results (SMTP port 25, SNMP port 161 UDP, NFS port 2049, VNC port 5900, RDP port 3389), look up the relevant Nmap NSE scripts and service-specific tool and run a brief enumeration. Document the results.
Deliverable: Host inventory
Produce a structured host inventory in Markdown table format:
## Host Inventory
### Host: 192.168.x.20
| Property | Value |
|---|---|
| IP | 192.168.x.20 |
| Hostname | metasploitable.localdomain |
| OS (Nmap guess) | Linux 2.6.24-16 (Ubuntu 8.04; confidence 95%) |
| Open ports | 21, 22, 23, 25, 53, 80, 111, 139, 445, 512, 513, 514, 1099, 1524, 2049, 2121, 3306, 5432, 5900, 6000, 6667, 8009, 8180 |
#### Open Services
| Port | Service | Version | Notable |
|---|---|---|---|
| 21/tcp | ftp | vsftpd 2.3.4 | Anonymous login enabled; vsftpd 2.3.4 has a known backdoor (CVE-2011-2523) |
| 22/tcp | ssh | OpenSSH 4.7p1 | Very old; multiple historical CVEs; consider weak ciphers |
| 23/tcp | telnet | Linux telnetd | Plaintext credential transmission; no reason to expose |
| 80/tcp | http | Apache httpd 2.2.8 | Default page; DVWA installed |
| 445/tcp | smb | Samba 3.0.20 | Null session enumeration succeeded; SMB signing disabled |
| 3306/tcp | mysql | MySQL 5.0.51a | Anonymous login enabled; root with empty password |
#### Enumeration notes
- **SMB null session (enum4linux):** Shares discovered: `print$`, `tmp`, `opt`, `IPC$`, `ADMIN$`. User list: [msfadmin, service, user]. Password policy: minimum length 5.
- **FTP anonymous:** Login succeeded. Root directory contains PHP scripts.
- **MySQL:** Root login with empty password succeeded. Databases: `information_schema`, `dvwa`, `metasploit`, `mysql`, `owasp10`, `tikiwiki`, `tikiwiki195`.
Submission
- Host inventory Markdown document
- Appendix A:
masscan-output.txt(raw Masscan output) - Appendix B: Nmap output files for each host (
.nmaptext format) - Appendix C: Key service-enumeration outputs (enum4linux, smbmap, ssh-audit)