Day 11: Wireshark – Identifying Nmap Scans lab

Objective

Capture traffic while someone (you) runs several Nmap scans and, from the pcap, identify and justify which scan type produced each packet sequence (ARP, ICMP, SYN, TCP-connect, FIN, NULL, XMAS). Provide the filter(s) used, the key hex/flag values you checked, and the conclusion.

---

Lab setup (minimum)

• Attacker machine (Kali or Linux) with nmap.

• Target machine (Linux or Windows).

• Analysis machine with Wireshark (can be on target, on attacker, or on a span port that sees traffic).

• Both hosts on same subnet (or mirrored traffic).

Attacker IP: 10.0.0.10 Target IP: 10.0.0.20 Adjust IPs to your lab.

---

The challenge (tasks)

Complete each numbered task. For each: capture the traffic, answer the questions, and include the Wireshark display filter(s) you used.

1. Task A — ARP Host Discovery

   • Run: nmap -sn 10.0.0.20 (default ARP ping)

   • Capture and show the ARP request + reply packets.

   • Questions: what is the destination MAC for the request? What EtherType hex indicates ARP? What is the ARP opcode (hex) for request and reply?

2. Task B — ICMP Host Discovery

   • Run: nmap -sn 10.0.0.20 --disable-arp-ping

   • Capture the ICMP Echo Request/Reply and any follow-up TCP probe.

   • Questions: what IP protocol number shows ICMP? What are the ICMP Type bytes for Echo Request and Echo Reply? Did Nmap follow up with a TCP SYN? (show filter)

3. Task C — SYN (Stealth) Scan

   • Run: nmap -sS -p22,80,443 10.0.0.20

   • Capture SYN → SYN/ACK → RST sequences.

   • Questions: show the TCP flag hex for SYN, SYN/ACK and RST. Why is this called a half-open / stealth scan?

4. Task D — Full TCP Connect

   • Run: nmap -sT -p80 10.0.0.20

   • Capture the 3-way handshake and the ACK that completes it.

   • Questions: which packet completes the handshake? What TCP flag hex is that?

5. Task E — FIN / NULL / XMAS scans

   • Run: nmap -sF -p22 10.0.0.20 (FIN)

   • Run: nmap -sN -p22 10.0.0.20 (NULL)

   • Run: nmap -sX -p22 10.0.0.20 (XMAS)

   • Capture the packets and the target’s responses (if any).

   • Questions: what are the flag hex values for FIN, NULL, XMAS? How does the target respond for closed vs open ports (common behaviors)?

6. Task F — Bonus: Build a basic detection rule

   • Write one short SIEM rule or pseudo-query that would flag likely scanning behaviour (e.g., many SYNs without completed handshakes, or many NULL/FIN/XMAS packets from one source within 60s).

---

Hints (one hint per task — use only if stuck)

• Task A hint: filter arp in Wireshark. Broadcast MAC = ff:ff:ff:ff:ff:ff. ARP EtherType = 0x0806. Opcode bytes are 0001 (request) and 0002 (reply).

• Task B hint: filter icmp or ip.proto == 1. IP header first byte often shows 0x45 (IPv4 header length 20 bytes). ICMP Type/Code bytes are first two bytes of ICMP header (Echo = 08 00, Reply = 00 00).

• Task C hint: filter tcp.flags.syn==1. TCP flags byte values: SYN=0x02, ACK=0x10, RST=0x04. SYN/ACK = 0x12.

• Task D hint: look for a packet with flags 0x10 (ACK) going from scanner → target immediately after SYN/ACK — that's the handshake completion.

• Task E hint: FIN=0x01; NULL=0x00 (no bits set); XMAS = FIN+PSH+URG → add hex (FIN=0x01 + PSH=0x08 + URG=0x20 = 0x29). Closed ports commonly reply with RST (0x04) — open ports on some OSes silence (no reply).

• Task F hint: simple rule: alert if a single src_ip sends >50 distinct dst_ports with SYN and no matching ACKs within 60s.

---

Wireshark display filters you can copy

• ARP packets: arp

• ICMP: icmp

• SYNs only: tcp.flags.syn == 1 && tcp.flags.ack == 0

• SYN/ACK: tcp.flags.syn == 1 && tcp.flags.ack == 1

• RSTs: tcp.flags.reset == 1

• NULL (no flags): tcp.flags == 0

• FIN packets: tcp.flags.fin == 1

• XMAS (FIN+PSH+URG): tcp.flags.fin == 1 && tcp.flags.push == 1 && tcp.flags.urg == 1

---

What to submit (deliverables)

For each task (A–F) provide:

1. The Wireshark display filter you used.

2. The packet number(s) (or screenshot) you inspected.

3. The key hex/flag values you checked (e.g., TCP flags = 0x02).

4. A one-line conclusion: e.g., “SYN stealth scan detected — attacker sent SYN (0x02), got SYN/ACK (0x12), then attacker sent RST (0x04).”

5. (Bonus) the detection rule/pseudocode.

---

Quick answer key (check your work)

• ARP EtherType = 0x0806. ARP request opcode = 0x0001. Broadcast MAC = ff:ff:ff:ff:ff:ff.

• ICMP protocol number = 1. Echo Request Type/Code = 08 00. Echo Reply = 00 00.

• TCP flag hexs: FIN=0x01, SYN=0x02, RST=0x04, PSH=0x08, ACK=0x10, URG=0x20. Examples: SYN only → 0x02; SYN/ACK → 0x12; RST → 0x04; NULL → 0x00; XMAS → 0x29.

• SYN scan pattern = SYN → SYN/ACK → RST (from scanner).

• TCP connect = SYN → SYN/ACK → ACK (from scanner).

• FIN/NULL/XMAS often produce RST from closed ports; open ports may remain silent on some OSes (Linux behavior).