1.

Host Discovery Using the 'ping' Command: Your first task is to

perform host discovery on the client's network using the 'ping'
command. Provide a detailed explanation of the data you can
extract from the results and how this helps in the assessment.
>>>Solution =

I use here my Measploitable-2 ([Link]), Windows-11

([Link]) & Kali-2025.2 ([Link])

ping output — line-by-line explanation

  icmp_seq = sequence number of probe
 ttl=64 = returned TTL (gives a hint about OS/hops).
 time= 2.63 ms = RTT in milliseconds.

Measploitable-2 ([Link])
--- [Link] ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 1.160/1.612/2.627/0.479 ms
Windows-11 ([Link])
--- [Link] ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 0.646/1.204/1.729/0.395 ms
Kali-2025.2 ([Link])
--- [Link] ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time
5110ms
rtt min/avg/max/mdev = 0.035/0.075/0.165/0.041 ms

How ping results help a security assessment (concrete

uses)
 Initial inventory: discover live hosts to target for later
safe scans.
 Segmentation check: hosts reachable from your test
point that should be isolated indicate segmentation issues.
 Firewall/ACL fingerprinting: systematic ICMP blocking
suggests filtering; document which subnets filter ICMP.
 Scan planning: high latency or packet loss → use lower
scan concurrency/rate to avoid disruption.
 Device hints: combine TTL + MAC OUI (via arp) + DNS
name to infer device role (server, router, IoT).
 Baseline evidence: store ping logs as timestamped
evidence of reachability for the report.

2. Comprehensive Port Scan: Now, you need to conduct a

comprehensive and non-intrusive port scan on the specified target IP
address. Outline the steps you would take, including the choice of tools
and software. Explain the reasons for using non-intrusive methods.
>>>Solution =

Cmd== nmap -sS -sV -O -p- --top-ports 1000 --version-light --osscan-

limit -T3 -oA full_scan [Link] (Kali.2025.2 IP).

Breakdown of options:

 -sS → TCP SYN scan (stealthier + faster than full connect).

 -sV → Detect service versions (what’s running on open
ports).
 -O → Attempt OS detection.
 -p- → Scan all 65,535 TCP ports.
 --top-ports 1000 → Focuses on the most common 1000
ports first (quicker results).
 --version-light → Uses safe/light probes (non-intrusive).
 --osscan-limit → Runs OS detection only if target seems
suitable.
 -T3 → Normal speed (safe for production networks).
 -oA full_scan → Saves results in 3
formats: .nmap, .gnmap, .xml.
 [Link] → target IP.

Why Use Non-Intrusive Methods?

1. Stability — Aggressive scans (e.g, SYN floods,

fragmentation, exploit probes) can crash fragile systems
like IoT, printers, or old servers.
2. Business Continuity — Client operations must not be
disrupted; non-intrusive scans ensure systems remain
online.
3. Accuracy — Controlled scans reduce false positives
caused by IDS/IPS blocking unusual probes.
4. Compliance & Trust — Following safe practices builds
client confidence and ensures legal/ethical compliance.
5. Efficiency — Targeted scans (top ports, version-light)
provide useful results faster than noisy, full-blast scans.
 3. OS Discovery and Ethical/Legal Considerations: Perform OS
discovery on the network you do not own or manage. Discuss the
ethical and legal considerations that security professionals should be
aware of and adhere to during this process.
>>>Solution = cmd>> nmap -O < target IP >

Nmap scan report Breakdown for [Link] ([Link]) :

1. Target: [Link]
2. Hostname resolved: [Link]
[Link] is up (0.000076s latency).
- The host is online.
- Extremely low latency → same LAN / very close on the network.

[Link] shown: 999 closed tcp ports (reset)

- Out of 1000 common ports, 999 are closed.
- They actively responded with a TCP RST (reset).

[Link] STATE SERVICE

80/tcp open http
 - Port 80 (HTTP) is open.
- Means a web server is running on this host.

[Link] type: general purpose

- Classified as a general-purpose system (desktop, laptop, or
server).

[Link]: Linux 2.6.X|5.X

-OS family: Linux
-Possible versions: Linux kernel 2.6.X or 5.X

[Link] CPE: cpe:/o:linux:linux_kernel:2.6.32

cpe:/o:linux:linux_kernel:5
cpe:/o:linux:linux_kernel:6
-Standardized CPE identifiers for Linux kernels.
-Useful for mapping vulnerabilities in databases (like NVD).

[Link] details: Linux 2.6.32, Linux 5.0 - 6.2

-More refined guess:
-Either very old kernel (2.6.32)
-Or modern versions: Linux 5.0 – 6.2
-Range exists because multiple kernels respond similarly to
probes.

[Link] Distance: 0 hops

-The host is directly reachable (same subnet, no routers in
between).

[Link] detection performed. Please report any incorrect results...

-Nmap finished OS detection but isn’t fully certain.
-Asks users to report inaccuracies to improve its fingerprint
database.

Final Interpretation
 Host [Link] is up and running Linux (likely
kernel 5.x – 6.x, but could also be older 2.6.32).
 It’s a general-purpose system on your local network (0
hops).
 Only HTTP (port 80) is open → web server running.
 Results saved accuracy-limited because Nmap didn’t get
more open/closed ports to compare.

4. Scanning Beyond IDS and Firewall: Conduct a scan beyond the

Intrusion Detection System (IDS) and Firewall. Provide a report of all
the outcomes, including vulnerabilities and potential risks that may
have been missed by these security measures.
>>>Solution =

Quick mapping (command → purpose → what it can reveal →

limitation)

[Link] -c 4 [Link]
 Purpose: Reachability.
 Reveals: Host up/down, basic latency.
 Helps find: Hosts that may be reachable despite perimeter
controls.
 Limit: ICMP can be blocked; lack of reply ≠ host offline.

[Link] -c 3 [Link]
 Purpose: L2 presence.
 Reveals: MAC address, confirms same-LAN presence.
 Helps find: Rogue devices, duplicate IPs.
 Limit: Works only on same broadcast domain.

[Link] --top-ports 100 -sT -Pn [Link]

 Purpose: Low-noise port/service discovery.
 Reveals: Most common open services, initial attack surface.
 Helps find: Services IDS/firewall rules didn’t block.
 Limit: May trigger IDS; not exhaustive.

[Link] nmap -p- -sV --version-intensity 2 -Pn [Link]

 Purpose: Full port + service/version enumeration.
 Reveals: Rare/open ports, exact service versions (useful for CVE
lookup).
 Helps find: Hidden services behind firewall rules or host-based
services.
 Limit: No exploitation; may be noisy.

[Link] nmap -O --osscan-guess -Pn [Link]

 Purpose: OS fingerprinting.
 Reveals: Probable OS family/version — helps prioritize
vulnerabilities.
 Limit: Accuracy depends on responses; IDS may flag it.

[Link] -sV --script=banner,http-title,ssl-cert -Pn [Link]

 Purpose: Safe metadata collection.
 Reveals: Server banners, web titles, certificate details.
 Helps find: Misconfigured apps, expired certs, exposed versions.
 Limit: Passive info only — not proof of exploitability.

[Link] -I [Link]
 Purpose: HTTP header inspection.
 Reveals: Server header, security headers (HSTS, CSP), cookie
flags.
 Helps find: Missing/weak HTTP security controls.
 Limit: Only HTTP; doesn't test auth logic.

[Link] s_client -connect [Link]:443 -showcerts | openssl

x509 -noout -text
 Purpose: Certificate/tls inspection.
 Reveals: Cert issuer, expiry, SANs, cipher negotiation (with extra
checks).
 Helps find: Expired/weak certificates or missing SANs.
 Limit: Doesn’t reveal server-side TLS configuration exhaustively.

[Link] -I [Link] +%s)

 Purpose: Generate benign anomaly (detection test).
 Reveals: Whether web access is logged/detected by IDS/SIEM.
 Helps find: Logging gaps or correlation gaps.
 Limit: Single event — needs SOC coordination.

10. nikto -host [Link] -Tuning 1

 Purpose: Low-impact web scan.
 Reveals: Common misconfigurations and outdated components.
 Helps find: Well-known issues IDS might miss.
 Limit: Contains many generic tests — avoid aggressive modes in
production.

11. smbclient -L //[Link] -N

 Purpose: Enumerate SMB shares (null/anonymous).
 Reveals: Public shares, potential data exposure.
 Helps find: Data leakage behind perimeter.
 Limit: If SMB blocked or requires auth, returns less info.

12. enum4linux -a [Link]

 Purpose: AD/SMB enumeration (non-destructive).
 Reveals: Shares, users, OS info, null session answers.
 Helps find: Misconfigurations and privileged exposure.
 Limit: Needs accessible RPC/SMB ports.
13. ssh testuser@[Link] 'uname -a; lsb_release -d;
sudo -n true 2>/dev/null || echo "no-sudo"'
 Purpose: Credentialed inventory (read-only).
 Reveals: Patch state, OS details, sudo capability.
 Helps find: Unpatched packages, misconfigured sudo, missing
EDR.
 Limit: Requires an authorized credential; shows internal view only.

14. sudo tcpdump -i eth0 host [Link] -w

capture_192.[Link]
 Purpose: Capture traffic for analysis.
 Reveals: Protocols used, cleartext data, test artefacts.
 Helps find: Data exfiltration channels or surprising outbound flows.
 Limit: Large files; capture must be stored/handled securely.

15. nmap -sT --scan-delay 200ms --max-retries 2 -p 1-1024 -Pn

[Link]
 Purpose: Low-rate port scan as a detection validation.
 Reveals: IDS/Firewall detection of scanning behavior.
 Helps find: Blind spots in internal detection.
 Limit: Must be coordinated with SOC to avoid false alarms.

16. ssh invaliduser@[Link] exit || true

 Purpose: Single failed auth attempt (detection test).
 Reveals: Whether auth failures are logged/alerted.
 Helps find: Missing auth monitoring or lockout policy issues.
 Limit: Only one event — don’t brute force.

17. searchsploit $(nmap --script=banner -Pn [Link] -p

80 2>/dev/null | sed -n 's/.*Service Info: //p' | head -n1)
 Purpose: Defensive research — map observed services to public
advisories.
 Reveals: Potential public CVEs mapping to observed versions.
 Helps find: Prioritized patch targets.
 Limit: Only as good as banner accuracy; not a proof-of-exploit.
 5. Network Scan Using Wireshark: Create a step-by-step tutorial
on how to use Wireshark to carry out a basic network scan.
Demonstrate how to locate open ports on a target machine as an
example.
6. Generating a Comprehensive Report: After completing the
tasks mentioned above, generate a comprehensive report
summarizing your findings, including vulnerabilities, risks, and
recommendations for improving the network's security.
>>>Solution =

Network Scan with Wireshark (Windows) - Report

Target IP: [Link]
Scope: Passive capture + authorized low-impact observation. Preparation &
Capture (Wireshark on Windows)

1. Pre-capture checklist (must do):

1.1. Obtain written authorization (Rules of Engagement) for IP [Link]

and the capture point.
1.2. Choose a capture location that sees both directions of traffic (SPAN/mirror
port, on-host capture, or same LAN segment).
1.3. Ensure sufficient storage and a secure location to store PCAP files. PCAPs
may contain sensitive data; encrypt for transport.
2. Install & start Wireshark (Windows):
2.1. Download & install Wireshark for Windows; allow installation of Npcap.
2.2. Run Wireshark from Start menu; Npcap enables capture without running as
Administrator where possible.
3. Create a capture session for the target:
3.1. Select the interface that sees the traffic (Ethernet/Wi-Fi).
3.2. Set a capture filter before starting to reduce noise: host [Link]
3.3. Click Start to begin capture.
4. (Optional, authorized) Generate low-impact traffic:
4.1. If allowed, from an authorized test host run a low-impact connect scan
(example): nmap --top-ports 100 -sT -Pn [Link]
5. Stop and save:
5.1. After capturing enough activity, click Stop and save as
capture_192.[Link]. Store securely.
 Analysis in Wireshark: Find Open Ports
6. Key Wireshark display filters (paste into Filter bar):
6.1. SYN packets (client → server attempts): [Link] == 1 &&
[Link] == 0 && [Link] == [Link]
6.2. SYN-ACK (target → client responses — implies open): [Link] == 1
&& [Link] == 1 && [Link] == [Link]
6.3. RST (target sent reset — implies closed): [Link] == 1 && [Link] ==
[Link]
- All traffic to/from the target: [Link] == [Link]
7. Determining open/closed/filtered ports (rules of thumb):
7.1. Likely open: Observe SYN from a client to target:PORT and a SYN-ACK
from target to client — port likely accepting connections.
7.2. Closed: Observe SYN then RST from target — port closed.
7.3. Filtered: SYNs observed but no reply (or ICMP unreachable) — packets
likely dropped by firewall/middlebox.
8. Practical Wireshark actions (step-by-step clicks):
8.1. Apply the SYN filter and note destination ports in the Info column (e.g.,
[Link]:54321 → [Link]:22).
8.2. Switch to SYN-ACK filter to confirm responses from the target.
8.3. Right-click a TCP packet showing a handshake → Follow → TCP Stream to
view conversation and possible banners.
8.4. Use Statistics → Conversations → TCP and Protocol Hierarchy to summarize
endpoints and protocols.
9. Export evidence snippets:
9.1. Apply a per-port filter (e.g., [Link] == 22 && [Link] == [Link]) →
File → Export Specified Packets → save port22_excerpt.pcap.
 Findings Template, Inferred Vulnerabilities &
Evidence
10. Findings template (fill per observed port):
• Finding ID: F-001
• Target: [Link]
• Port / Protocol: 22/tcp (SSH)
• Observed behavior / Evidence: SYN (pkt #101 …) from client → target; SYN-
ACK (pkt #102) from target → client; exported pcap port22_excerpt.pcap.
• Interpretation: Port responds to handshake → likely open.
• Potential vulnerability / risk: SSH with password auth or outdated version
increases risk for credential compromise.
• Recommendation: Restrict source IPs, enforce key-based auth + MFA, disable
password auth, verify patches.
11. Common vulnerabilities you can infer from passive capture:
• Unencrypted protocols (HTTP/FTP) in cleartext → data/credential leakage.
• Missing security headers (HSTS/CSP) on web responses → downgrade/XSS
risk.
• Service banners revealing versions → map to CVEs for patch prioritization.
• Open SMB shares → data exposure and lateral movement potential.
• Repeated failed authentications visible in capture → attempted brute-force or
misconfig.
Note: Passive capture infers exposure; credentialed scans required for definitive
exploitability and CVE verification.
12. Evidence collection checklist:
• Full capture saved: capture_192.[Link] (encrypt before sharing).
• Per-port excerpts: port22_excerpt.pcap, port80_excerpt.pcap,
port445_excerpt.pcap.
• Screenshots: handshake filter results, conversation view, protocol hierarchy.
• Notes: packet numbers + timestamps supporting each finding.
 Executive Summary, Recommendations & Appendix
13. Executive summary:
During an authorized passive capture and light observation on [Link],
multiple TCP services responded to connection attempts. Analysis of SYN/SYN-
ACK handshakes and application metadata identified likely open services and
configuration gaps. Findings indicate exposure of management services,
unencrypted web traffic, and possible file-share accessibility that could be abused
after initial access. Below are prioritized remediation steps and detection
improvements.
14. Prioritized findings (example order):
High priority:
• SMB (445) with session establishment and file operations → data
exposure/lateral movement risk.
• Remote management (SSH/RDP) reachable broadly without restrictive ACLs →
credential compromise risk.
Medium priority:
• HTTP without HTTPS/HSTS → MITM and credential exposure.
• Service banners show outdated versions → investigate with credentialed patch
scan.
Low priority:
• Non-standard open internal ports — review necessity and segment if unused.
15. Actionable remediation (by urgency):
Immediate (24–72 hours):
• Restrict SMB to management VLANs and disable anonymous/guest access.
• Harden remote access: restrict source IPs, enforce key-based SSH + MFA, use
jump hosts or VPN for RDP.
• Implement HTTPS everywhere and enable HSTS.
Short term (7–30 days):
• Run credentialed vulnerability scans and patch critical CVEs.
• Remove unused services and harden configurations.
• Centralize logging to SIEM and ensure retention.
Medium term (30–90 days):
• Deploy endpoint detection (EDR) and forward logs to SIEM.
• Implement micro-segmentation for critical assets.
 16. Detection & monitoring improvements:
• Create SIEM rules: alert on SMB from unexpected hosts, SYN to uncommon
ports followed by SYN-ACKs on sensitive assets, repeated failed logins.
• Correlate network captures with host logs (Windows Event Logs/syslog).
• Periodic purple-team exercises to validate detection coverage and SIEM tuning.
17. Remediation verification & acceptance criteria:
• Verification via credentialed re-scan, targeted packet capture, and SIEM alert
tests.
• Example acceptance: SSH password auth disabled and verified; SMB blocked
from unauthorized subnets; HTTP redirected to HTTPS with HSTS header
present.
18. Appendix — Quick Wireshark filters & steps (cheat-sheet):
• Capture filter (before start): host [Link]
• Display filters:
- SYN: [Link] == 1 && [Link] == 0 && [Link] == [Link]
- SYN-ACK: [Link] == 1 && [Link] == 1 && [Link] ==
[Link]
- RST: [Link] == 1 && [Link] == [Link]
• Export packets: apply filter → File → Export Specified Packets → save pcap.
19. Next steps:
• Schedule a credentialed vulnerability assessment and patch remediation for
[Link].