3 November 2015


by mo

Research Canadian and US computer security laws in regards to unlawful computer access

Answer the following in 1 to 2 points per question:

  1. What are the laws?
  2. How can penetration testing be conducted for a client? (hint: consent, scope)
    • You have consent from the management of an organization before conducting a penetration test on its systems or network.
    • Conducting Pen Testing
  3. What is responsible vulnerability disclosure?
  4. What does Amazon’s cloud (EC2) require before you conduct penetration testing against your Amazon hosted cloud infrastructure?


Consider buying these books:

Bookmark and get an overview of these resources:

Get your home lab setup:

  • Install VMware Player
  • Download Metasploitable
    • Setup networking so you have an IP on your home network
  • Download Kali Linux 1
    • Change the default password
    • Setup networking so you have an IP on your home network
    • Create a directories in Kali called input and output
    • Add the internal IP of the metasploitable workstation to input/targets.txt
    • Are you sure it’s an internal IP?

Try and clearly describe the following NSE commands (each option per scan)- replace IP with that of your Metasploitable box. Take note why certain options take longer, and the impact of scanning a single port vs all ports. Troubleshoot error messages; do you have the right syntax? Did you use spaces? Have your created the output folder? Have you created the input folder and put the IP address within target.txt?


  • NMAP NSE: https://nmap.org/nsedoc/
  • Here’s a handy list of default ports, if you haven’t found this information online or in your textbook- http://www.vulnerabilityassessment.co.uk/ports.htm

Deliverable: Describe each option used, and include a quick screenshot of your running the command (but don’t include the full output in the screenshot). Example: Option: “nmap -sS -sV -p21” = Answer: “Stealth Scan, Service Version, Port 21, "

–script-updatedb: Update the script database.

  nmap --script-updatedb 

Stealth Scan

 nmap -sS IP

Stealth Scan, use “default” script scan.

-sC: equivalent to –script=default

 nmap -sC -sS IP

Service Version, Default Script, Stealth Scan

 nmap -sV -sC -sS IP

Default and safe script scan

 nmap --script default,safe IP

Service Version, default and safe script scan.

 nmap -sV --script default,safe IP

-A: Enable OS detection, version detection, script scanning, and traceroute

Service Version, aggressive scan, run scripts in vuln and safe category, port 80.

 nmap -sV -A --script "vuln and safe" -p80 IP

Service Version, script scan category vuln, port 80, output to output/a

 nmap -sV -A --script "vuln" -p80 IP -oX output/a

Service version, scan UDP, script scan nbstat, port 137

 nmap -sV -sU --script="nbstat*" -p 137 IP

Input file /input/target.txt, very very verbose, stealth scan, service version, os detection, Aggressive scan options, no ping, port 80 and p443, script scan categories vuln and safe and files starting with http*, script arguments newtargets=1, output to file Target_vulnandsafeHTTP_T3, print stats every 30 seconds, host timeout 30 minutes.

–host-timeout time (Give up on slow target hosts) .

 nmap -iL /input/target.txt -vvv -sS -sV -O -A -Pn -p80,443 --script="vuln and safe","http-*" --script-args= “newtargets=1” -oA /output/Target_vulnandsafeHTTP_T3 --stats-every 30s --host-timeout 30m

Input file target.txt, very very verboxe, scan UDP, service version, top 200 ports, output all formats to dir Target*, print stats every 30 seconds.

 nmap -iL /input/target.txt -vvv -sU -sV --top-ports 200 -oA /output/Target_sU_T3_top200 --stats-every 30s

Resume previous scan from output file/dir.

 nmap /output/Target_sU_T3_top200 --resume

read targes from input file, use interface tun0, very very verbose, no ping, scan TCP, top 100 ports, set timing template 3, output all formats, pring stats every 30 seconds.

 nmap -iL /input/target.txt -e tun0 -vvv -Pn -sT --top-ports 100 -T3 -oA /output/Target_Discovery_sT_top100 --stats-every 30s

Why would “-e tun0” not work without being connected to a VPN?

tun0 is the name of the interface typically assigned to a VPN connection.

Refer back to scan #3; based on the output, target new ports with the NSE options you tried in #5, 6, and 7, but customize the script to a new port and service (for example, -p21 script=ftp* or –p3306 script=mysql* ). Paste the command you used below.

  nmap -sV -A --script="ftp*" -p21 IP

Take a screenshot of one of your note’s pages for Service Testing with NMAP (for example, show me the notes you’ve taken for testing FTP with NMAP).



-sU (UDP scans) While most popular services on the Internet run over the TCP protocol, UDP[6] services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don’t ignore the whole protocol. Fortunately, Nmap can help inventory UDP ports.

–script filename|category|directory|expression[,…] Runs a script scan using the comma-separated list of filenames, script categories, and directories. Each element in the list may also be a Boolean expression describing a more complex set of scripts. Each element is interpreted first as an expression, then as a category, and finally as a file or directory name.

-p : Only scan specified ports Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9

-sC: equivalent to –script=default

-sS (TCP SYN scan) SYN scan is the default and most popular scan option for good reasons. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. It is also relatively unobtrusive and stealthy since it never completes TCP connections. SYN scan works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap’s FIN/NULL/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states.

This runs all scripts in category default and safe. nmap –script-help=”default” will provide more info.

-sV: Probe open ports to determine service/version info

-A: Enable OS detection, version detection, script scanning, and traceroute

-oX filespec (XML output) Requests that XML output be directed to the given filename. Nmap includes a document type definition (DTD) which allows XML parsers to validate Nmap XML output. While it is primarily intended for programmatic use, it can also help humans interpret Nmap XML output. The DTD defines the legal elements of the format, and often enumerates the attributes and values they can take on. The latest version is always available from https://svn.nmap.org/nmap/docs/nmap.dtd.

–script vuln runs all scripts with category vuln. I found 57 on my mac. λ nmap –script-help=”vuln” | grep Categories | wc -l 57 -iL inputfilename (Input from list) Reads target specifications from inputfilename. Passing a huge list of hosts is often awkward on the command line, yet it is a common desire. For example, your DHCP server might export a list of 10,000 current leases that you wish to scan. Or maybe you want to scan all IP addresses except for those to locate hosts using unauthorized static IP addresses. Simply generate the list of hosts to scan and pass that filename to Nmap as an argument to the -iL option. Entries can be in any of the formats accepted by Nmap on the command line (IP address, hostname, CIDR, IPv6, or octet ranges). Each entry must be separated by one or more spaces, tabs, or newlines. You can specify a hyphen (-) as the filename if you want Nmap to read hosts from standard input rather than an actual file.

-v: Increase verbosity level (use -vv or more for greater effect)

–stats-every time (Print periodic timing stats) Periodically prints a timing status message after each interval of time. The time is a specification of the kind described in the section called “TIMING AND PERFORMANCE”; so for example, use –stats-every 10s to get a status update every 10 seconds. Updates are printed to interactive output (the screen) and XML output.


–top-ports : Scan most common ports

–resume : Resume an aborted scan

-e : Use specified interface

-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template) While the fine-grained timing controls discussed in the previous section are powerful and effective, some people find them confusing. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing templates. You can specify them with the -T option and their number (0-5) or their name. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5). The first two are for IDS evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so -T3 does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network. Finally insane mode. assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed.