**Nmap Encrypted Scanning Project**

**Objective**

This project will analyze how encryption affects Nmap scans under different conditions by comparing open port detection, service fingerprinting, and banner information between encrypted and unencrypted communications.

**Project Scenarios**

We will conduct Nmap scans from the Dell OptiPlex 7070 SFF (Windows 10 Pro) against the MacBook Air (macOS) under four conditions:

No Encryption (Baseline) – Unencrypted HTTP service on port 80.

TLS Encryption (HTTPS Web Server) – TLS-encrypted service on port 443.

Secure Shell (SSH Tunnel Forwarding) – SSH tunnel between devices on port 22.

Secure File Transfer (SFTP over SSH) – Secure file transfer using SFTP (port 22).

Project Setup

**1. Environment Preparation**

**Windows Setup (Dell OptiPlex 7070 SFF)**

Install Nmap (already installed).

Install VS Code, Python, Jupyter Notebook (already installed).


**MacOS Setup (MacBook Air)**

Ensure OpenSSH is installed (comes pre-installed on macOS).

Install a simple web server (if needed for TLS testing):

brew install openssl

**2. Scenario 1: No Encryption (Baseline)**

Start an HTTP server on the MacBook Air:

python3 -m http.server 80 --bind 0.0.0.0

Find MacBook's local IP address:

ifconfig | grep "inet "

Run Nmap from Dell (Windows) to scan the MacBook:

nmap -A <MacBook-IP>

Record findings in Jupyter Notebook.

**3. Scenario 2: TLS Encryption (HTTPS Web Server)**

Set up an HTTPS server on MacBook Air:

Run Nmap from Dell (Windows) to scan the encrypted service:

nmap -sV --script ssl-enum-ciphers <MacBook-IP>

Compare findings with baseline scan and note differences.

**4. Scenario 3: SSH Tunnel Forwarding**

Start an SSH server on MacBook Air:

sudo systemsetup -setremotelogin on

From Dell, establish an SSH tunnel:

ssh -L 8080:localhost:80 user@<MacBook-IP>

Run Nmap against the tunneled service:

nmap -p 8080 localhost

Compare results against previous scans.

**5. Scenario 4: Secure File Transfer (SFTP over SSH)**

On MacBook Air, confirm SSH service is running:

sudo systemsetup -getremotelogin

Transfer a test file from Windows to Mac via SFTP:

sftp user@<MacBook-IP>
put testfile.txt

Run an Nmap scan on port 22 from Dell:

nmap -p 22 -sV <MacBook-IP>

Analyze how encryption affects service detection.

** 6.Conclusion**

Compare all four scenarios and analyze how encryption changes Nmap’s ability to detect services.

Document findings in the Jupyter Notebook and push results to GitHub.



**Scenario 1: Baseline Nmap Scan (No Encryption) - Report**

**Objective**

The purpose of this scenario was to establish a baseline for how Nmap detects open, unencrypted services. To achieve this, an HTTP server without encryption was set up on the MacBook Air, and an Nmap scan was conducted from the Dell Windows 11 system to analyze what services and ports were detected before implementing encryption in later scenarios.

Steps Taken
Set up a Python HTTP server on the MacBook Air:

The following command was executed in the MacBook’s Terminal:

sudo python3 -m http.server 80 --bind 0.0.0.0

This command launched an unencrypted web server on port 80, making it accessible over the local network.

Verified the MacBook’s IP address:

The command below was used to identify the local IP address of the MacBook Air:

ifconfig | grep "inet "

The system returned an IP address of 192.168.1.148, confirming that the device was reachable on the network.

Tested HTTP access from the Dell system:

Using Google Chrome on the Dell Windows 11 system, the following URL was entered:

http://192.168.1.148

The browser successfully loaded the server’s directory listing, confirming that the HTTP server was functional and accessible.

**Performed Nmap scans from the Dell system:**
Basic port scan **(nmap 192.168.1.148)**) is executed to detect open ports.
Service version detection scan **(nmap -sV 192.168.1.148)** was performed to identify running services.
Aggressive scan **(nmap -A 192.168.1.148)** was conducted for more detailed fingerprinting.

**Findings from the Baseline Scan**
Key Findings:
Port 80 (HTTP) was detected as open, confirming that the unencrypted Python HTTP server was active and accessible.
Nmap identified the service as SimpleHTTPServer 0.6 (Python 3.12.3), which aligns with the expected output for Python's built-in web server.
The OS fingerprinting results correctly identified the target machine as running macOS (versions 11-13).
A directory listing was detected on the HTTP server, meaning that any files in the directory where the server was launched were openly accessible.

**Additional Interesting Observations:**

Port 5000/tcp & 7000/tcp were open, running AirTunes RTSP (Real Time Streaming Protocol) services (rtspd 775.3.1). These are used by Apple’s AirPlay for media streaming.
Port 49152/tcp was open but unidentified. This is a common ephemeral port that macOS may use for internal communication or background services.
Nmap detected a .git directory on the HTTP server, which could indicate an exposed Git repository if it were publicly accessible.

**Conclusion:**
The baseline Nmap scan was successfully completed, providing a clear view of how Nmap detects unencrypted services on a network. Port 80 was correctly identified, and additional open ports (such as AirTunes services) were also detected. This establishes a reference point for comparison in future scenarios when encryption is applied.

📌 Scenario 1: Summary of the Flow (Baseline - Unencrypted HTTP)
Step 1: The Mac starts an unencrypted HTTP server on 0.0.0.0:80, making it accessible to any device on the network.
Step 2: The Dell scans 192.168.1.148:80 and detects an open HTTP service.
Step 3: The Dell accesses http://192.168.1.148 in a browser, confirming the connection is unencrypted.
Step 4: Nmap’s aggressive scan (-A) reveals a directory listing, meaning files on the server are openly accessible.

🚀 Key Takeaway
🔹 All traffic is unencrypted, meaning data can be intercepted.
🔹 Nmap detects HTTP on port 80, confirming the service is running with no encryption.
🔹 The server allows directory listing, which could expose sensitive files to attackers.



**Next Steps: Implementing TLS Encryption**

With the baseline scan complete, the next step is to encrypt the HTTP traffic using TLS (HTTPS) and analyze how Nmap’s detection results change. This will involve:

Setting up an HTTPS server on the MacBook Air with a self-signed TLS certificate.
Running the same Nmap scans from the Dell system to compare results.
Identifying how encryption affects port visibility, service fingerprinting, and banner detection.

**Scenario 2: Nmap Scan Results for TLS-Encrypted HTTPS Server**

1️⃣ Basic Port Scan (nmap 192.168.1.148)

Nmap Command:
**nmap 192.168.1.148**

Raw Output Highlights:
Host is up with 0.012s latency.
Port 443/tcp (HTTPS) is open, replacing HTTP from Scenario 1.
Port 5000/tcp (UPnP) is open, likely related to Apple’s AirTunes or device functions.
Port 7000/tcp (AFS3 file server) is open, used by macOS for file sharing.
MAC Address: 74:A6:CD:DB:FD:32 (Apple device).

**Interpretation:**

The system is responsive with low latency, confirming a local network connection.
HTTPS is running on port 443 instead of HTTP (port 80 in Scenario 1).
Other detected services (5000, 7000) were also present in Scenario 1, meaning they are unrelated to the encryption change.

**Comparison to Scenario 1:**

Main difference: In Scenario 1, port 80 (HTTP) was open, now it's 443 (HTTPS).
This confirms that TLS encryption has replaced the previous unencrypted web service.

2️⃣ Service Version Detection (nmap -sV -p 443 192.168.1.148)

Nmap Command:
**nmap -sV -p 443 192.168.1.148**

**Raw Output Highlights:**

Port 443 is open, running ssl/http (HTTPS).
Detected service: SimpleHTTPServer 0.6 (Python 3.12.3).

**Interpretation:**
The server is using Python’s built-in SimpleHTTPServer, which was also present in Scenario 1.
Key difference: Now it is wrapped in SSL/TLS encryption (identified as ssl/http instead of http).
This confirms that encryption is successfully applied, and the server is no longer transmitting data in plaintext.

**Comparison to Scenario 1:**

Scenario 1: The same Python server was detected but as http (unencrypted).
Scenario 2: The server is now detected as ssl/http, verifying that the transition to HTTPS was successful.

**3️⃣ Aggressive Scan (nmap -A -p 443 192.168.1.148)**

Nmap Command:
**nmap -A -p 443 192.168.1.148**

**Raw Output Highlights:**

Port 443 is open, running ssl/http (HTTPS).
SSL certificate details:
Organization: Internet Widgits Pty Ltd
Country: AU
Validity: March 12, 2025 – March 12, 2026
.git directory found in web root.

**Interpretation:**

Nmap successfully extracted SSL certificate details, confirming that our self-signed certificate is in use.
The certificate is not signed by a trusted Certificate Authority (CA), which is why browsers show a security warning.
Security Concern: Nmap discovered a .git directory on the HTTPS server.
This could expose Git repository data if misconfigured.
If sensitive files exist in .git, attackers could clone the repository and extract code, credentials, or configuration files.

**Comparison to Scenario 1:**
New detection: .git directory was NOT reported in Scenario 1.
Possible reason: HTTPS may allow deeper enumeration, or Git may not have been scanned over HTTP in Scenario 1.

**4️⃣ SSL Cipher & Encryption Strength Analysis (nmap --script ssl-enum-ciphers -p 443 192.168.1.148)**

 Nmap Command:
**nmap --script ssl-enum-ciphers -p 443 192.168.1.148**

**Raw Output Highlights:**

TLS 1.2 and TLS 1.3 are supported.
Strong ciphers detected (all rated "A"):
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
No weak ciphers detected.

**Interpretation:**
The HTTPS server is enforcing modern encryption standards, which is ideal for security.
TLS 1.2 and 1.3 are strong and still widely used in production environments.
No outdated or insecure ciphers (e.g., TLS 1.0, RC4, or DES) were found, meaning the server is using best practices for encryption.

**Comparison to Scenario 1:**
Scenario 1 had no encryption.
Scenario 2 has enforced HTTPS with strong TLS encryption.
This confirms that data transmission is now protected from man-in-the-middle attacks (MITM) and eavesdropping.

**Final Summary & Key Takeaways:**
✅ Encryption Successfully Implemented

The server has transitioned from HTTP (unencrypted) to HTTPS (encrypted).
TLS 1.2 and TLS 1.3 are properly configured, with no weak ciphers detected.
The server is using strong, modern cryptographic ciphers (AES-GCM, ChaCha20-Poly1305), ensuring that data cannot be easily intercepted or tampered with.
The certificate is self-signed, which means it is not trusted by default browsers, resulting in a security warning. However, the encryption itself is functional.

**🚨 Security Concern: Exposed .git Directory**

The .git directory could potentially leak sensitive repository information.
This was not detected in Scenario 1 (HTTP) but was found in Scenario 2 (HTTPS).
Possible reasons it was detected now:
Nmap's HTTP scripts scanned more deeply over HTTPS.
Additional web security measures on HTTP may have blocked certain requests.
The .git folder was manually added or became exposed during the transition to HTTPS.

**Potential risk:**
If this Git repository contains sensitive credentials, API keys, or proprietary code, an attacker could clone it remotely.
If the .git folder is publicly accessible, attackers could extract commit history and config files.

**Recommendation:**
Restrict access to the .git directory in the web server configuration.
Ensure no sensitive credentials are stored in Git repositories accessible from the web root.
Verify that Git is not exposing unwanted files using ls -la /path/to/webroot/.git.

**🔹 Additional Insight: Understanding Cipher Suite Negotiation**  

In our analysis, we determined that the HTTPS server **supports** strong encryption methods, but Nmap does not tell us which cipher suite is actually **negotiated and used** in a real connection.  

**🔹 Key Clarification:**  
- Nmap lists **all available cipher suites** that the server supports.  
- The **actual cipher chosen depends on handshake negotiation** between the client and server.  
- If a client does not support the strongest cipher, a weaker one may be selected.  
- **Nmap does not simulate a full TLS handshake**, so we cannot see the final choice.  

**🔹 Optimally, the server will use:**  
- **TLS Handshake:** ECDHE for key exchange (supports Perfect Forward Secrecy).  
- **Server Authentication:** RSA to verify the certificate.  
- **Data Encryption:** AES-256 in GCM mode for confidentiality.  
- **Integrity Check:** SHA-384 for message authentication.  

**🔹 However, these may be downgraded based on:**  
- The client’s supported ciphers.  
- TLS handshake negotiation.  
- Server preference settings.  

**🔹 How to Determine the Actual Cipher Used?**  
To confirm which cipher suite was actually chosen in a real connection, we would need to:  

1️⃣ **Perform a live TLS handshake using OpenSSL:**  
   ```sh
   openssl s_client -connect 192.168.1.148:443

   This forces a connection and reveals the negotiated cipher.

2️⃣ **Capture the handshake with Wireshark:**

The Server Hello message will contain the actual selected cipher in real traffic.
This allows us to verify if the strongest cipher was used or if it was downgraded.

**🚀 Summary:** 

Nmap shows what is available, but not what is actually used.
OpenSSL or Wireshark is required to determine the final selected cipher.
Understanding this distinction is crucial in security assessments to ensure that strong encryption is actually enforced.

📌 Scenario 2: Summary of the Flow (TLS-Encrypted HTTPS Server)
Step 1: The Mac starts an HTTPS server on 0.0.0.0:443 using a self-signed TLS certificate.
Step 2: The Dell scans 192.168.1.148:443 and detects an HTTPS service instead of HTTP.
Step 3: The Dell accesses https://192.168.1.148 in a browser, but sees a security warning due to the self-signed certificate.
Step 4: Nmap retrieves SSL certificate details, confirming TLS 1.2 and TLS 1.3 encryption.
Step 5: Nmap detects an exposed .git repository, which was not identified in Scenario 1.

🚀 Key Takeaway
🔹 Traffic is now encrypted, preventing interception, but the self-signed certificate triggers security warnings.
🔹 Nmap sees HTTPS on port 443 instead of HTTP on port 80, confirming encryption is in place.
🔹 The .git directory exposure is a security risk, showing that encryption does not protect against misconfigurations.



**Scenario 3: Nmap Scan Results for HTTP Over SSH Tunnel**

**1️⃣ Basic Port Scan (nmap 127.0.0.1 -p 9999)**

Nmap Command:
**nmap 127.0.0.1 -p 9999**

Raw Output Highlights:
Port 9999/tcp is open, meaning the SSH tunnel is active.
Initially identified as "abyss" service due to incomplete detection.

**Interpretation:**
The port is open, confirming that the SSH tunnel is properly forwarding traffic.
Initial misidentification was due to Nmap not fully analyzing the service.

**Comparison to Previous Scenarios:**
In Scenario 1 (Unencrypted HTTP), Nmap scanned 192.168.1.148:80 directly.
In Scenario 2 (Direct HTTPS), Nmap scanned 192.168.1.148:443.
Here, Nmap is scanning 127.0.0.1:9999, meaning it is analyzing the SSH tunnel rather than the remote Mac itself.
27.0.0.1:9999 appears to be a local HTTP server on the Dell, but it is actually traffic being forwarded from the Mac’s HTTP server (192.168.1.148:8080).
The SSH tunnel makes the remote service accessible as if it were running locally on the Dell.
Nmap detects HTTP on port 9999, but it is actually analyzing the tunneled connection, not a service physically running on the Dell.
Without the SSH tunnel, port 9999 on the Dell would be closed and inaccessible.


**2️⃣ Service Version Detection (nmap -sV -p 9999 127.0.0.1)**

Nmap Command:
**nmap -sV -p 9999 127.0.0.1**

Raw Output Highlights:
Port 9999/tcp is running SimpleHTTPServer 0.6 (Python 3.12.3).
Now correctly identifies the service as HTTP instead of "abyss".

**Interpretation:**
This confirms that the SSH tunnel is successfully forwarding HTTP traffic.
The initial service misidentification was resolved by using a version scan (-sV).
Even though traffic is encrypted over SSH, Nmap still detects HTTP running inside the tunnel.

**Comparison to Previous Scenarios:**
In Scenario 1, Nmap detected SimpleHTTPServer on port 80.
In Scenario 2, Nmap detected SimpleHTTPServer on port 443 (encrypted with TLS).
Here, we see the same service running, but tunneled over SSH.
Nmap detects HTTP because it is scanning port 9999 on the Dell, where the SSH tunnel has already decrypted the traffic.
Wireshark will show unencrypted HTTP packets on 127.0.0.1:9999 (Dell), but encrypted SSH packets on 192.168.1.148:22 (Mac).
The SSH tunnel encrypts traffic between machines but does NOT encrypt traffic once it reaches the local port forwarding endpoint.

**3️⃣ Aggressive Scan (nmap -A -p 9999 127.0.0.1)**
Nmap Command:
nmap -A -p 9999 127.0.0.1
Raw Output Highlights:
Port 9999 is running SimpleHTTPServer 0.6 (Python 3.12.3).
Directory Listing is Enabled.
Git Repository Detected (.git directory found).
HTTP Server Header: Reports SimpleHTTP/0.6 Python/3.12.3.
Interpretation:
The SSH tunnel does not block Nmap’s ability to detect the underlying service.
The .git directory is exposed, which could pose a security risk.
This shows that SSH tunneling encrypts traffic in transit, but does NOT hide the service details from a local scan.
Comparison to Previous Scenarios:
In Scenario 1, a .git directory was detected in unencrypted HTTP (port 80).
In Scenario 2, the .git directory was also found in direct HTTPS (port 443).
Here, despite the SSH tunnel, Nmap was still able to detect and enumerate the .git repository.

**Summary of the Flow**

Step 1: The Mac starts an HTTP server on 127.0.0.1:8080, but it’s only accessible from the Mac itself.
Step 2: The Dell creates an SSH tunnel (9999 → 8080), allowing traffic sent to 127.0.0.1:9999 to be forwarded to 127.0.0.1:8080 (Mac).
Step 3: The Dell accesses 127.0.0.1:9999, and traffic is automatically encrypted, sent to the Mac, decrypted, and processed by the HTTP server.
Step 4: Nmap scans 127.0.0.1:9999 on the Dell, sees HTTP running, but does not know that it’s actually coming from the Mac.

🚀 Key Takeaway
🔹 The SSH tunnel tricks the Dell into thinking the Mac’s HTTP server is running locally.
🔹 Nmap sees HTTP on 127.0.0.1:9999, but that’s just the tunnel exposing it—it doesn’t detect encryption.
🔹 If we ran Wireshark, we would see encrypted SSH traffic between the Dell and Mac (port 22), but unencrypted HTTP on 127.0.0.1:9999.

**Final Summary & Key Takeaways**

 SSH Tunnel Successfully Established

HTTP traffic was secured via an SSH tunnel, replacing direct HTTP or HTTPS.
Port 9999 correctly forwarded traffic from 127.0.0.1:8080.
Nmap successfully scanned HTTP through the SSH tunnel, proving that encrypted tunneling does not inherently block service fingerprinting.
 Encrypted tunneling prevents third-party network-based packet capture, but does not block service fingerprinting at the local endpoint because decryption happens before the service is accessed. This means that while tunneling protects data in transit from external interception, it does not hide the true nature of a service from an attacker who gains access to the endpoint. In cybersecurity, this reinforces the need for strong endpoint security, access controls, and logging, as attackers who breach a local system can still enumerate services even if traffic was encrypted over the network.


**🚨 Security Concern: Exposed .git Directory**

The .git directory was detected, just as in Scenario 1 (HTTP) and Scenario 2 (HTTPS).
This means SSH tunneling does NOT prevent data leaks—it only encrypts traffic.
Recommendation: Restrict access to .git via .htaccess or server configuration.

**🛠️ Key Differences Compared to Previous Scenarios**

Scenario 1: Direct HTTP
Connection Type: Unencrypted HTTP.
Port Scanned: 80.
Encryption Used: ❌ None.
Key Findings: .git directory exposed.

Scenario 2: Direct HTTPS
Connection Type: Encrypted HTTPS.
Port Scanned: 443.
Encryption Used: ✅ TLS 1.2 / 1.3.
Key Findings: .git directory still exposed.

We are confident that TLS 1.2 and TLS 1.3 were the only versions available on the server because Nmap’s ssl-enum-ciphers script explicitly confirmed that only these versions were supported. While we previously discussed how individual cryptographic components—such as key exchange (ECDHE), authentication (RSA), encryption (AES-GCM), and integrity verification (SHA-384)—could be downgraded based on client-server negotiation, TLS version enforcement operates differently. A server will only allow connections using the versions it supports, meaning if an older version like TLS 1.1 were required by the client, the connection would simply fail rather than downgrade. In our case, the Mac server only advertised TLS 1.2 and 1.3, ensuring that no older, weaker versions could be used. While cipher selection was flexible within the constraints of TLS 1.2/1.3, the protocol version itself was strictly limited by the server’s configuration, meaning we can be fully confident that one of these two versions was used.

Scenario 3: HTTP Over SSH Tunnel
Connection Type: HTTP tunneled over SSH.
Port Scanned: 9999.
Encryption Used: ✅ SSH Tunnel.
Key Findings: .git directory still exposed, proving tunneling does not hide services.
