Detection of Port Scan Attacks: How to use Nmap to scan open ports? How to use TCPDump to find scanning activity?
Hi security people!
In this article, we will detect the scans made on our system and observe the IP address that made this scan. To observe this detection, we need to install a metasploitable machine which as being second machine in our virtual machine.
Before the installation, I would like to talk about what Metasploitable is a bit.
💡 What is Metasploitable?
Metasploit is one of the most popular and top rated penetration testing tools on the market and is designed for penetration tests, vulnerability assessments and developing and executing exploit code against remote targets. Metasploit has several user interfaces, both command line and graphical user interfaces.
When you need to learn how to swim you need a swimming pool and when you need to learn how to hack you need vulnerable machines to practice on. Metasploitable is that swimming pool that ethical hackers can use to learn about ethical hacking without breaking any laws and regulations or the need to use production networks as a lab. Metasploitable2 is an intentionally vulnerable Linux machine which can be downloaded and set up as a virtual machine in any hypervisor such as VMware,Virtual box or UTM.
In this metasploitable2 tutorial I installed the UTM virtual machine on my Apple m1 to configure the Metasploitable with no difficulties. UTM may not be best as Virtualbox or VMWare but it’s free of cost and you can easily use it to run any OS on your Mac.
I recommend you to follow this article to install it on your device, it will be very helpful to you.
Now, you know what metasploitable is and it’s used for. Let’s get into it. 🙂
First, we should install the metasploitable2 on our kali machine from here.
Once metasploitable2 is downloaded, open your UTM machine. Then follow these instructions:
- Click on the create a new virtual machine.
- Choose the Emulate > Other.
- Choose the Skip ISO Boot.
- Hardware options should be like this:
- Storage options should be 10GB.
- Shared directory should be continued as a default option.
- Edit the Summary and click on Save.
- QEMU Settings should be like this:
- Delete IDE Drives.
- Create New one, import the metasploitable.vmdk file, click Open and Save the changes.
- Arrange the network options on a Bridged mode and Save.
💡 What is Bridge mode?
It is a kernel module that behaves like a network switch, forwarding packets between interfaces that are connected to it. It’s usually used for forwarding packets on routers, on gateways, or between virtual machines and network namespaces on a host.
In Bridge Mode, one router is designated as the primary router and is responsible for assigning IP addresses to devices on the network. The second router is connected to the primary router and acts as a bridge, allowing devices on the network to communicate with each other and access the internet.
🚀 Let’s launch both Kali Linux and the Metasploitable2 virtual machine and ensure that they are on the same isolated network, on the Bridged (advanced) mode.
- Run the ifconfig command on the Kali Linux terminal to see the IP port here. The IP address will appear on the eth0 network adapter as follows.
- Login to the metasploitable machine as admin: msfadmin, password: msfadmin
🚀 As you see, we determined > Kali-Linux System IP: 192.168.2.82
- Check out for the Metasploitable machine via run ifconfig command as well too.
🚀 As you see, we determined > Metasploitable System IP: 192.168.2.56
- Let’s go ahead and try ping for these machines. ping for the other machines’ IP port. We should get a reply as below.
So far we are done with configuring the vulnerable virtual machine and we can switch back to Kali Linux to run some scans on the vulnerable host to determine open ports and running services. 🚀
Detection of Port Scan Attacks
With these steps, we will run Nmap queries on the Kali Linux machine. After that, we will have captured and analyzed whole traffic on the Metasploitable machine.
🔑 What is Nmap?
Nmap is short for Network Mapper. It’s an open-source Linux command-line tool that is used to scan IP addresses and ports in a network and to detect installed applications. Nmap allows network admins to find which devices are running on their network, discover open ports and services, and detect vulnerabilities.
- Shows all hosts and devices connected to your network.
- Creates a virtual ‘map’.
- Can determine the operating system of the target.
- Discovers hosts by sending a packet and analyzing the response.
How to use Nmap to scan open ports?
Here, we will execute a single query and that will get port-service-version information about the Metasploitable machine.
Note: My Kali and Metasploitable machines IP addresses were changed when I shutdown machines so, I proceed the same steps on these machines again. Therwhile, Kali IP address is 192.168.0.22 and Metasploitable IP address is 192.168.0.14 now. Don’t be confused when you see the screenshots below.
This is the command you need to run:
sudo nmap -p- -sV Target_IP_Addresssudo : “superuser do” gives a regular user access to administrator-like powers.
nmap : Nmap scanning command
-p- : takes the arrange of whole ports
-sV : takes service and version informations
The output looks as follows.
You can run specified or whatever you need to see commands to see how it will does effect from the second machine.
For example, I run this command;
sudo nmap Target_IP_Address/24and the output on Meta2 has been as follows.
🔑 What is TCPDump?
Tcpdump is a packet sniffer in Linux. It allows users to capture and display network packets flowing through a network interface in real-time or saved to a file for later analysis. Under the hood, tcpdump understands protocols and host names. It will do all in its power to see what host sent each packet and will tell you its name instead of the IP address. It is an exceptionally useful tool for debugging what might have caused certain networking related problems. It is an excellent tool to learn new things.
- Acts similar to Wireshark but has a different interface.
- Terminal-based.
- You type in the command for which filter you want to apply.
How to use TCPDump to find scanning activity?
While we are performing a scan, let’s observe all the traffic with Tcpdump. Here, the main goal will be what kind of outputs do we capture and analyze via the tcpdump command we run, and how do we know this scan is a port scan.
First, let’s check out the available network interfaces in our system with this command:
sudo tcpdump -DWe will use the first one (eth0) as below.
While Kali machine attack on our machine, let’s observe and catch them via this command:
sudo tcpdump -i -eth0 -vEnter as follow.
As you see, live outputs looks like on Metasploitable machine:
To catch the specific port that attacking us, try this command:
sudo tcpdump -i eth0 -v host IP_AddressEnter as follow.
Now, you captured the attacker 🙂 :
Conclusion 🚀
With this tutorial-like article, you have learned how you could use a second machine in your virtual machine in bridge mode and after that, what happens when a device attacks your device and how you observe these attacks with tcpdump simply, and how you could do these kinds of attacks with nmap.
Next article will be very exciting. Keep in touch!
“UNIQUESEC Student Club | Website (Link: https://uniquesec.org/) | Linkedin (Link: https://www.linkedin.com/company/uniquesec)”
