Practical lab documentation covering network reconnaissance with Nmap and packet analysis with Scapy, completed as part of ParoCyber Ethical Hacking Training.
- Objectives
- Lab Environment
- Part 1: Nmap Reconnaissance
- Part 2: Network Configuration
- Part 3: Packet Capture with Tcpdump
- Part 4: Scapy Packet Analysis
- Key Learnings
- References
- Author
The objectives of this lab are to:
- Understand network reconnaissance using Nmap for host discovery, port scanning, and service enumeration
- Learn OS fingerprinting techniques to identify target operating systems
- Explore SMB enumeration and understand common Windows network vulnerabilities
- Capture network traffic using tcpdump and analyze with Wireshark
- Master Scapy for packet sniffing, crafting, and protocol analysis
| Component | Details |
|---|---|
| Attacker Machine | Kali Linux |
| Target Network | 10.6.6.0/24 |
| Target Host | 10.6.6.23 |
| Network Interface | eth0, br-internal |
| Tools Used | Nmap, Scapy, Tcpdump, Wireshark, SMBClient |
Command:
nmap -sn 10.6.6.0/24Explanation:
-snβ Ping scan (disables port scan)10.6.6.0/24β Target subnet (256 hosts)- Discovers live hosts on the network without scanning ports
- Useful for initial reconnaissance to identify active targets
Screenshot:
Command:
sudo nmap -O 10.6.6.23Explanation:
-Oβ Enable OS detectionsudoβ Required for raw socket access- Uses TCP/IP stack fingerprinting to identify the target's operating system
- Compares responses against Nmap's database of known OS signatures
Screenshot:
Command:
nmap -p21 -sV -A -T4 10.6.6.23Explanation:
-p21β Scan port 21 (FTP)-sVβ Probe open ports to determine service/version info-Aβ Aggressive scan (OS detection, version detection, script scanning, traceroute)-T4β Timing template (faster execution)
Screenshot:
Commands:
nmap -A -p139,445 10.6.6.23nmap --script smb-enum-shares.nse -p445 10.6.6.23Explanation:
-p139,445β Target SMB ports (NetBIOS and SMB direct)--script smb-enum-shares.nseβ Nmap script to enumerate SMB shares- SMB (Server Message Block) is commonly used for file sharing on Windows networks
- Enumeration reveals available shares, permissions, and potential attack vectors
Screenshot:
Command:
smbclient //10.6.6.23/print$ -NExplanation:
smbclientβ Command-line SMB client//10.6.6.23/print$β Target share (print$ is a default Windows printer share)-Nβ No password (null session)- Type
exitto close the shell
Screenshot:
These commands help understand the network environment:
Command 1: View Network Interfaces
ifconfig- Displays IP addresses, MAC addresses, and interface statistics
Command 2: View Routing Table
ip route- Shows the routing table and default gateway
Command 3: View DNS Configuration
cat /etc/resolv.conf- Displays configured DNS servers
Screenshot:
Command:
sudo tcpdump -i eth0 -s 0 -w ladies.pcapExplanation:
-i eth0β Capture on eth0 interface-s 0β Capture full packets (no truncation)-w ladies.pcapβ Write output to pcap file- Press
Ctrl + Cto stop capture
Verify Capture:
ls ladies.pcapOpen in Wireshark:
wireshark ladies.pcapScreenshot:
sudo su
scapyScapy requires root privileges for raw socket access.
Commands:
# Start sniffing (captures all traffic)
sniff()
# In another terminal, generate traffic:
# ping google.com
# Stop sniffing with Ctrl + C
# Store captured packets
paro = _
# View summary
paro.summary()Explanation:
sniff()β Captures packets on the default interface_β Stores the last result in Scapy.summary()β Displays a summary of captured packets
Screenshot:
Commands:
# Sniff on specific interface
sniff(iface="br-internal")
# Generate traffic:
# ping 10.6.6.1
# Open browser: http://10.6.6.23
# Stop with Ctrl + C
# Store and analyze
paro2 = _
paro2.summary()Explanation:
iface="br-internal"β Specifies the network interface to sniff on- Captures traffic only on the internal bridge network
Screenshot:
Commands:
# Capture only ICMP packets, limit to 5
sniff(iface="br-internal", filter="icmp", count=5)
# In another terminal:
# ping 10.6.6.23
# Stop when 5 packets captured
# Store and analyze
paro3 = _
paro3.summary()
# View specific packet (4th packet)
paro3[3]Explanation:
filter="icmp"β BPF filter to capture only ICMP (ping) packetscount=5β Stop after capturing 5 packetsparo3[3]β Access individual packets by index (0-based)
Screenshot:
- Host discovery is the first step in any penetration test
- Service enumeration reveals potential attack vectors
- NSE scripts extend Nmap's capabilities for specific tasks
- SMB enumeration is critical for Windows network assessments
- Powerful Python-based tool for packet manipulation
- Can sniff, craft, send, and analyze packets
- BPF filters allow targeted packet capture
- Essential for understanding network protocols at a low level
- Network security assessments β Identify vulnerabilities before attackers do
- Incident response β Analyze captured traffic during security incidents
- Penetration testing β Reconnaissance phase of ethical hacking engagements
- Network troubleshooting β Diagnose connectivity and protocol issues
- Nmap Official Documentation
- Scapy Documentation
- Tcpdump Manual
- Wireshark User Guide
- OWASP Testing Guide
Aliu Tijani
Ethical Hacking Student | ParoCyber Training Program
This project is licensed under the MIT License - see the LICENSE file for details.
Created as part of ParoCyber Ethical Hacking Training β December 2025