Simulate Network Conditions in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, you will learn how to simulate various network conditions using Nmap. This includes simulating bad checksums and manipulating the Maximum Transmission Unit (MTU) to understand their impact on network scanning.

You'll explore commands like nmap --badsum 192.168.1.1 to send packets with corrupted checksums, nmap --mtu 1400 127.0.0.1 to set a specific MTU, and combinations thereof. You'll also learn to add verbosity with -v and save results to a file using -oN. Finally, you'll analyze the effects of these simulations in the Xfce terminal.

Simulate bad checksum with nmap --badsum 192.168.1.1

In this step, we will explore how to simulate a bad checksum using Nmap. Checksums are used to verify the integrity of data transmitted over a network. A bad checksum indicates that the data has been corrupted during transmission. Simulating a bad checksum can be useful for testing how a system handles corrupted packets.

First, let's understand the basic syntax of the command:

nmap --badsum <target_ip>

Here, --badsum is the option that tells Nmap to generate packets with an invalid checksum. <target_ip> is the IP address of the target you want to scan.

Before running the command, it's important to understand that sending packets with bad checksums might be interpreted as malicious activity by some network devices or security systems. Therefore, it's best to use this option on a test network or against a target you have explicit permission to scan.

Now, let's execute the command. We will target the IP address 192.168.1.1. Make sure you have the necessary permissions and that scanning this IP is allowed.

Open your Xfce terminal and execute the following command:

sudo nmap --badsum 192.168.1.1

You will likely see output indicating that Nmap is sending packets with a bad checksum. The exact output will depend on the target system and network configuration.

Example output (may vary):

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).
All 1000 scanned ports on 192.168.1.1 are filtered
Nmap done: 1 IP address (1 host up) scanned in 4.63 seconds

Note: The output shows that all ports are filtered. This is just an example, and the actual result depends on the target. The important part is that Nmap executed the scan with the --badsum option.

This command sends packets to 192.168.1.1 with deliberately corrupted checksums. This can be used to test how a system handles invalid packets.

Set MTU with nmap --mtu 1400 127.0.0.1

In this step, we will learn how to set the Maximum Transmission Unit (MTU) size using Nmap. The MTU is the largest packet size (in bytes) that a network interface can transmit. By default, Nmap automatically discovers the MTU of your network. However, you can manually set the MTU value for testing purposes.

The command we'll use is:

nmap --mtu <mtu_value> <target_ip>

Here, --mtu specifies the MTU value to use for the scan, and <target_ip> is the IP address of the target.

In this specific case, we will set the MTU to 1400 and target the loopback address 127.0.0.1. The loopback address is a special IP address that always refers to the local machine. This allows us to test Nmap's MTU setting without sending packets over a network.

Open your Xfce terminal and execute the following command:

sudo nmap --mtu 1400 127.0.0.1

You will see output from Nmap indicating that it is scanning the loopback address. The output will also show that the MTU is set to 1400.

Example output (may vary):

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
All 1000 scanned ports on localhost (127.0.0.1) are closed
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

This command tells Nmap to use an MTU of 1400 when sending packets to 127.0.0.1. This can be useful for testing how a system handles packets of a specific size.

Combine MTU and scan with nmap -sS --mtu 1000 192.168.1.1

In this step, we will combine the MTU setting with a specific scan type. We'll use the SYN scan (-sS) along with the --mtu option to perform a scan with a specified MTU size.

The SYN scan (-sS) is a stealthy scan that only sends SYN packets to the target. It's faster and less detectable than a full TCP connect scan.

The command we'll use is:

nmap -sS --mtu <mtu_value> <target_ip>

Here, -sS specifies the SYN scan type, --mtu sets the MTU value, and <target_ip> is the IP address of the target.

In this specific case, we will set the MTU to 1000 and target the IP address 192.168.1.1. Make sure you have the necessary permissions and that scanning this IP is allowed.

Open your Xfce terminal and execute the following command:

sudo nmap -sS --mtu 1000 192.168.1.1

You will see output from Nmap indicating that it is performing a SYN scan with an MTU of 1000. The exact output will depend on the target system and network configuration.

Example output (may vary):

Starting Nmap 7.80 ( https://nmap.org )
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).
All 1000 scanned ports on 192.168.1.1 are filtered
Nmap done: 1 IP address (1 host up) scanned in 4.63 seconds

Note: The output shows that all ports are filtered. This is just an example, and the actual result depends on the target. The important part is that Nmap executed the SYN scan with the --mtu option.

This command combines a SYN scan with a specific MTU size. This can be useful for testing how a system responds to different packet sizes during a scan.

Add verbosity with nmap -v --badsum 127.0.0.1

In this step, we will add verbosity to the Nmap command. Verbosity increases the amount of information displayed during the scan, which can be helpful for debugging and understanding what Nmap is doing.

The -v option increases the verbosity level. You can use it multiple times (e.g., -vv) for even more detailed output.

We will combine the verbosity option with the --badsum option, which we used in the first step, targeting the loopback address 127.0.0.1.

Open your Xfce terminal and execute the following command:

sudo nmap -v --badsum 127.0.0.1

You will see more detailed output from Nmap compared to the previous commands. The output will include information about the packets being sent, the responses received, and the progress of the scan.

Example output (may vary):

Starting Nmap 7.80 ( https://nmap.org )
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 15:00
Scanning localhost (127.0.0.1) [4 ports]
Completed Ping Scan at 15:00, 0.00s elapsed (1 total hosts)
Host localhost (127.0.0.1) appears to be up ... good.
Initiating Connect Scan at 15:00
Scanning localhost (127.0.0.1) [1000 ports]
Connect Scan Timing: About 0.00% done; ETC: 15:00 (0:00:00 remaining)
Completed Connect Scan at 15:00, 0.01s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
All 1000 scanned ports on localhost (127.0.0.1) are closed

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds

The -v option provides more information about the scan process, making it easier to understand what Nmap is doing and to troubleshoot any issues.

Save results with nmap --mtu 1200 -oN sim.txt 192.168.1.1

In this step, we will save the Nmap scan results to a file. This is useful for later analysis or for sharing the results with others.

The -oN option specifies that the output should be saved in normal format to the specified file.

The command we'll use is:

nmap --mtu <mtu_value> -oN <output_file> <target_ip>

Here, --mtu sets the MTU value, -oN specifies the output file in normal format, <output_file> is the name of the file to save the results to, and <target_ip> is the IP address of the target.

In this specific case, we will set the MTU to 1200, save the output to a file named sim.txt in the ~/project directory, and target the IP address 192.168.1.1. Make sure you have the necessary permissions and that scanning this IP is allowed.

Open your Xfce terminal and execute the following command:

sudo nmap --mtu 1200 -oN sim.txt 192.168.1.1

After the scan completes, a file named sim.txt will be created in your ~/project directory. This file will contain the Nmap scan results in a human-readable format.

To verify that the file was created and contains the scan results, you can use the cat command to display the contents of the file:

cat sim.txt

You should see the Nmap scan results printed to the terminal.

Example output (may vary):

## Nmap 7.80 scan initiated Mon Oct 26 15:05:05 2020
Nmap scan report for 192.168.1.1
Host is up (0.00043s latency).
All 1000 scanned ports on 192.168.1.1 are filtered
## Nmap done: 1 IP address (1 host up) scanned in 4.63 seconds

This command saves the Nmap scan results to a file, allowing you to review and analyze the results later.

Analyze simulation effects in Xfce terminal

In this step, we will analyze the effects of the simulations we performed using Nmap. We'll examine the output from the previous steps to understand how the --badsum and --mtu options affected the scan results.

First, let's review the sim.txt file we created in the previous step. Open your Xfce terminal and use the cat command to display the contents of the file:

cat sim.txt

Examine the output. Note the target IP address, the ports that were scanned, and the status of those ports (e.g., open, closed, filtered).

Next, let's consider the --badsum option. This option intentionally corrupts the checksum of the Nmap packets. In a real-world scenario, this would likely cause the packets to be dropped by the network or the target host. However, Nmap can still provide some information, even with corrupted packets.

Recall the command we used with --badsum:

sudo nmap --badsum 192.168.1.1

The output of this command (if you didn't save it to a file) would have shown how Nmap attempted to scan the target despite the checksum errors.

Now, let's consider the --mtu option. This option sets the Maximum Transmission Unit (MTU) for the Nmap packets. The MTU is the largest packet size that can be transmitted over a network. If the MTU is set too high, the packets may be fragmented, which can affect the scan results. If the MTU is set too low, the scan may be slower.

Recall the command we used with --mtu:

sudo nmap --mtu 1200 -oN sim.txt 192.168.1.1

By setting the MTU to 1200, we potentially influenced how the target host received and processed the Nmap packets. The sim.txt file contains the results of this scan, which you should compare to a scan without the --mtu option to see the differences.

To further analyze the effects, you could try running Nmap scans with different MTU values and compare the results. For example, try an MTU value that is smaller than the default (usually 1500) and one that is larger.

In summary, by using the --badsum and --mtu options, we simulated network conditions that can affect Nmap scans. Analyzing the results of these simulations helps us understand how Nmap behaves under different circumstances and how to interpret the scan results accordingly.

This step is primarily about understanding the impact of the previous commands. There is no specific command to execute in this step other than reviewing the outputs from previous steps.

Summary

In this lab, we explored how to simulate network conditions using Nmap. Specifically, we learned how to use the --badsum option to send packets with invalid checksums to a target IP address, allowing us to test how a system handles corrupted data. We also practiced setting the Maximum Transmission Unit (MTU) size using the --mtu option to control the size of packets sent during a scan.

Furthermore, we combined the --mtu option with a scan type and explored adding verbosity with the -v flag for more detailed output. Finally, we learned how to save the scan results to a file using the -oN option for later analysis, and we were instructed to analyze the effects of these simulations in the Xfce terminal.