Activity 12.1 Identify a Network Scan

In this excercise I will walk through how to initiate and then identify a network scan occurring on a Linux machine.

  1. I will startup both my Kali and Metaploitable VM.
  2. On Kali, open wireshark and a terminal window. Net Scan
  3. Determine the IP address of the Metaploitable VM by running ifconfig. In my case it is Net Scan
  4. Start the Wireshark Capture from the Kali machine using the active interface, in my case this is “eth0.” Intially you may only see DHCP and ARP messages. Net Scan
  5. Now we will start the nmap scan on the Kali Machine. Type in: nmap -p 1-65535' <IP of the metasploitable VM> Net Scan
  6. Notice all the exciting ports which are open on the Metasploitable VM. Lets try navigating to some of them via the ip address + port number in the Kali Ice Weasel Browser.
  7. Not surprisingly, the VM is running a web server on port 80. Net Scan
  8. More surprisingly, the VM is running FTP, NFS, etc.
  9. Stop the wireshark capture. Net Scan
  10. Using filters, we can review the traffic captured.
  11. Entering tcp.port==80 will display the connections our Kali machine made to the Metasploitable VM. Net Scan
  12. Now lets investigate the scan we conducted.
  13. Navigate to Edit > Preferences > Appearence > Columns. Adjust the layout to include both the “Src Port (unresolved)” and “Dest port (unresolved)”
  14. This will allow us to easily see all the ports scanned in order. Enter the following filter: ip.dist == <IP of the metasploitable VM> Now sort the columns by time. Now we can sift through all our glorious sequential port scans. Net Scan


A glossary of all the terms, acronyms and slang I run across for this chapter.

Active Network Monitoring Reaches out to remote systems to gather data. Gathers data about availability, routes, packet delay/loss and bandwidth. Ping and iPerf are two examples.
Bandwidth Consumption Can cause service outages and disruptions of security functions - a serious concern
Baseline Detection Aka anomaly detection. Alerts when thresholds are exceeded.
Beaconing Heartbeat traffic sent to a hackers command and control server -- usually over http or https
DDoS Distributed Denial of Service Attack -- DOS attack which comes from multiple networks simultaneously
Detecting Malware Techniques Central management tools, antimalware tools, software files and blacklisting, application whitelisting.
df Linux tool - displays a report of a system's disk usage
Heuristics Behaviour based detection. Alerts when strange behaviours are detected.
Host-related Checking Techniques Processor monitoring, Memory monitoring, Drive capacity monitoring, filesystem changes and anomalies
iPerf Measures max BW that an IP Network can handle. Allows remote testing of link BW in addition to internal BW testing. Useful for establishing a network baseline.
Linux Services Managed by running service --status-all and by checking "/etc/init.d/service name/ status"
Malicious Scheduled Tasks Check cron in Linux and task scheduler in windows
Memory Leak Occurs when a program does not release its memory even after it is no longer being used - this will result in increased consumption until the program crashes
Passive Monitoring Captures network data as traffic passes along a location on a network, such as collecting tap data. V
perfmon Windows performance monitoring utility - best for more detailed graphing
Potentially Malicious Windows Tools cmd.exe, at.exe, schtasks.exe, wmic.exe, powershell.exe, net.exe, reg.exe, sc.exe
Protocol Analysis Captures packets and looks for unexpected traffic types in order to detect an attacker
PRTG Paessler Router Traffic Grapher, tool which provides packet sniffing, flows, SNMP and WMI
ps Linux tool - provides cpu and mem utilisation
resmon Windows Resource Monitoring utility - best for checking basic metrics
Rogue Checking Techniques Valid MAC address checking, MAC address vendor checking, Network Scanning, Site Surveys, Traffic Analysis
Rogue Devices An unwanted device connected to your network
Router-based Monitoring Available options include Netflow, RMON, SNMP
SCOM System Center Operations Manager - Windows monitoring tool
sysinternals Additional advanced windows monitoring tools
top Linux tool - provides cpu and mem utilisation along with stats about processes
w Linux tool - indicates which accounts are logged in
Windows Services Managed in services.msc
Wire Rogue Checking Techniques MAC Port Security or Network Access Control can prevent this
WMI Windows Management Instrumentation