Ape-Testing, LLC

Enumeration and Vulnerability Scanning

2.11.2018

This Report was Prepared By:

Taco Lemur Security
Nicolas Bautista
Jaime Ibarra
Alyssa Evans
nicbauti@uat.edu
jaiibarr@uat.edu
alyevans@uat.edu
Table of Contents
Introduction ..................................................................................................................................... 2
Overview ......................................................................................................................................... 2
Scanning .......................................................................................................................................... 2
Operating Systems Identified ........................................................................................................ 11
Service Fingerprinting .................................................................................................................. 12
Identifying Hosts within Specified Range and Filtering ICMP .................................................... 14
Xmas Scan .................................................................................................................................... 14
Import File to Scan IPs Within ..................................................................................................... 14
Using Nessus ................................................................................................................................. 17
Conclusions ................................................................................................................................... 20

1|Page
Introduction
Taco Lemur Security Team was tasked with enumeration and vulnerability scanning for
specified targets. We needed to identify live hosts on the network, the ports that had open,
determine the operating system of the hosts, perform service fingerprinting, and using Nessus to
scan for vulnerabilities.

Overview
There were two targets available on the network. Each showed various results via the scans. The
two targets identified were used to test the Nessus Vulnerability scanning which proved to be an
enlightening experience.

Scanning
Below are the results of ping sweeping the network for live hosts, scanning hosts with Nmap,
scanning hosts with adjusted time requests, using Nmap to sweep the network for systems
running web servers on port 80 and 443, scanning hosts using Nmap as well as displaying the
reason it find the port in the state it is in, the command to scan with Nmap and output the results
to a Normal File, scanning hosts as if it were denying ICMP, and port scanning for open ports
from 1 to 500 with Netcat. Netcat is used when looking for a dependable back-end device that
can be easily driven by other programs and scripts. Nmap is a scanning tools that can scan a
network using a variety of protocols, can operate in stealth mode, and automatically identify
remote operating systems.

2|Page
3|Page
4|Page
5|Page
6|Page
7|Page
8|Page
9|Page
10 | P a g e
Operating Systems Identified
Below are operating system results for the two targets identified using Nmap. I would say that
the guess was fairly accurate.

11 | P a g e
Service Fingerprinting
Below are the service fingerprinting results. This seems to be a fair assessment of the services
running. If Nmap was unable to identify the service, I would start by looking at what ports are
open and verify the service that is typically run on it.

12 | P a g e
13 | P a g e
Identifying Hosts within Specified Range and Filtering ICMP
This is the way we would attempt to determine which hosts are up in the network range if the
customer were filtering ICMP.

Xmas Scan
The Xmas Scan sets the FIN, PSH, and URG flags in Nmap.

Import File to Scan IPs Within

These are the results when importing a text file using Nmap to scan hosts from the network.

14 | P a g e
15 | P a g e
16 | P a g e
Using Nessus

17 | P a g e
18 | P a g e
19 | P a g e
Based on what we can tell, there are likely to be a few false positives based on the fact that an
automated system is not likely to be 100% accurate. This is why it is always a good idea to verify
the information given.
We also believe that there are likely to be obscure vulnerabilities that were not found. Nessus is
meant to test for more common vulnerabilities and while this is good, sometimes we need to
check for complicated vulnerabilities as well.

Conclusions
There were two target available and they contained a fair amount of open ports and
vulnerabilities. The Basic Network Scan in Nessus does not identify as many vulnerabilities as
the custom policy scan does. The difference in vulnerabilities is to be expected given that the
custom policy is meant to look for more possibilities.

20 | P a g e