Lab Exercise 4 Revision 2

Revision 2 clarifies question 9.

Revision 1 has clarification for question 3, and removes a spurious “}” from the web page.

Due: June 3, 2021
Points: 100

This laboratory exercise has you use a network probing tool called nmap to see what services a host is running, along with some other information. nmap is on the CSIF, so we will begin with those systems. The documentation is available online, at; please refer to it as needed.

Do not run nmap against a host unless (1) you have permission of the system managers; or (2) you are the system manager. We have obtained the permission of the CSIF manager, the College of Engineering security team, and the campus security team for these exercises, so as long as you run nmap with the source and target as described below, you will not be violating any rules.

For this set of exercises, you will need to log into two CSIF systems. Please use and If they are not up, use and; then if needed, and If none of those pairs are up, pick any 2 CSIF systems.

Hosts on the Same Subnet

On the CSIF, log into your two systems. We’ll use pc12 and pc13, but if you use different systems, replace the names accordingly.

Step 1

On pc13, run the command

    nmap localhost

and then


[1.]  Are there any different services in the output? If so, what are they, and why do they occur?

By default, nmap looks only at common ports. The option -p allows you to specify which ports to look at. The forms are a comma-separated list of ports or a range. If the beginning of the range is omitted it is 1, the first port; if the end is omitted, it is 65535, the last port. So the following command checks all the ports.

    nmap -p- localhost

Execute it and compare the output to that of “nmap localhost”.

[2.]  Do they report different services and if so, how and why do they differ?

Step 2

Next, look at probing another system. From pc13, run


Then on pc12, run

    nmap localhost

and then


[3.]  Compare the command just run on pc13 to the two run on pc12. Are there any different services in the output? If so, what are they, and why do they occur?

Hosts on Different Networks at UC Davis

The above tests were all run on the same subnet. Now we will experiment with hosts on 2 different networks. For these experiments, there is a firewall between the two networks; this will affect how nmap runs.

Step 1

On pc12, run:


You will notice that some ports are labeled “filtered”.

[4.]  What does that mean?

Step 2

The nmap option -A provides information about the servers, including version number and associated data. Please use it to scan (warning: it may take as long as 5 minutes, so be patient).
[5a.]  What version of ssh is running?
[5b.]  What programs are running as the servers for SMTP and HTTP, and what are their version numbers?
[5c.]  What operating system is running?

Repeat this for the system

[6a.]  What version of ssh is running?
[6b.]  What other server(s) is running, and what are their version numbers?

Hosts Crossing the UC Davis Boundary

Now let’s see what happens when a probe crosses a network boundary. We’l also try a couple of options that you can’t use on the CSIF because you have to be root or the administrator to run them. So you will need to use nmap on on a system where you do have those privileges (in what follows, this system will be called “your system”).

If you need to install it, download it from and follow the instructions.

There are different ways to scan a system. The first is to attempt to open a TCP connection to the port on the host. This does not require root privileges, and the option is -sT. Execute the command:

    nmap -sT

Compare this result with the result of step 1 of the previous section.

[7.]  Do the two report different services? If so, how? Look at the state column in particular.

Many services are UDP-based, such as DNS and DHCP. The option -sU sends a UDP packet to the port. The reply tells nmap about the state of the port. As it writes directly to the raw network socket, root privileges are required. Execute this command.

    nmap -sU

Warning: it will be slow. If you get a response that seems down, run the command with the additional option -Pn. When nmap starts a UDP scan, it pings the host to maki sure it is up. The -Pn option says to skip that check. You may see some messages about “Offending packet”. You can ignore these.

[8.]  The state of the syslog server is given as “open|filtered”. What does this mean?

Another probe sends malformed TCP packets to ports and determines their possible states from the response. The option -sX causes three TCP flags (FIN, URG, PSH) to be set; such a packet is commonly called a “Christmas tree packet”. Execute the following command:

    nmap -sX

[9.]  Compare the results of this with the results from nmap -sT, which was the first command in this part. Why are the states of the services shown differently?

Finally, look at the actual packets. Start wireshark, and use the following filter:

    ip.addr== IP address

Execute the command

    nmap -r -p1-1024

[10.]  What port does your system send the SYN that receives on ports 1 and 2? With what packets does respond? Enclose a screen shot to show this.

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
ECS 153, Computer Security
Version of May 28, 2021 at 12:03AM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh