# **Network Scanning and Security Assessment with Nmap**
### **Introduction**
In this project, I explore **Nmap (Network Mapper)**, a powerful open-source network scanning tool used by cybersecurity professionals, network administrators, and ethical hackers. The primary objective of this project is to conduct a comprehensive **network reconnaissance scan**, analyze the discovered devices and services, and assess potential security implications.

### **Objectives of This Project**
By the end of this project, I will have:
1️⃣ **Installed and used Nmap** to scan a local network.  
2️⃣ **Identified active devices**, their IP addresses, and open ports.  
3️⃣ **Analyzed running services and potential security risks** associated with open ports.  
4️⃣ **Understood how subnet scanning works** using CIDR notation.  
5️⃣ **Explored advanced scanning techniques** and how Nmap can be used for vulnerability detection and automation.

### **Why Is This Project Important?**
🔹 **Security Assessment:** Understanding which devices and services are exposed on a network is crucial for **identifying vulnerabilities**.  
🔹 **Penetration Testing Preparation:** Learning how attackers might perform reconnaissance helps in **hardening defenses**.  
🔹 **Practical Cybersecurity Experience:** Hands-on experience with **real-world tools like Nmap** strengthens network security skills.  
🔹 **Automated Network Monitoring:** Nmap can be used in **scripts to regularly monitor a network** for unexpected changes.

### **Scope of the Project**
This project will cover:
✔ **A full subnet scan** (`192.168.1.0/24`) to identify all connected devices.  
✔ **Analysis of open ports**, services, and potential vulnerabilities.  
✔ **Security recommendations** based on findings.  
✔ **Further exploration** of Nmap’s capabilities, including stealth scanning and automation with Python.


**Command Executed**

nmap -A 192.168.1.0/24
🔹 Performs an aggressive scan (-A) on all devices in the 192.168.1.x subnet (up to 256 IPs).
🔹 Identifies open ports, services, operating systems, and device details.

**🔍 General Information at the Start**

Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-27 14:50 PST
✔ Nmap version: 7.95
✔ Website: https://nmap.org
✔ Scan start time: 2025-02-27 at 14:50 PST

**📌 Device 1: iPhone.attlocal.net (192.168.1.78)**

Nmap scan report for iPhone.attlocal.net (192.168.1.78)
Host is up (0.010s latency).
✔ Device Name: iPhone
✔ IP Address: 192.168.1.78
✔ Host is online: ✅ (0.010 seconds response time)

Not shown: 999 closed tcp ports (conn-refused)
PORT      STATE SERVICE    VERSION
62078/tcp open  tcpwrapped
✔ 999 ports are closed (rejected connection attempts).
✔ One open port:

Port 62078/tcp → Marked as tcpwrapped
🔹 "tcpwrapped" means the service requires authentication, so Nmap couldn’t detect more details.


**📌 Device 2: unknown38b8008eb820.attlocal.net (192.168.1.85)**

Nmap scan report for unknown38b8008eb820.attlocal.net (192.168.1.85)
Host is up (0.0065s latency).
✔ Device name unknown (not resolved).
✔ IP Address: 192.168.1.85
✔ Host is online: ✅ (0.0065s response time)

Not shown: 994 closed tcp ports (conn-refused)
✔ 994 ports closed, but 6 ports open:

🚪 Open Ports and Services

80/tcp   open  http            nginx
|_http-title: 404 Not Found
Port 80 = HTTP Web Server
Service: nginx (a lightweight web server)
404 Not Found = Web server is running but not hosting a page.

7000/tcp open  rtsp            AirTunes rtspd 377.40.00
|_irc-info: Unable to open connection
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
Port 7000 = RTSP (Real-Time Streaming Protocol)
Used for streaming audio/video (AirTunes/Apple Music streaming).
Error: Couldn’t retrieve all details.

8008/tcp open  http?
|_http-title: Site doesn't have a title.
Port 8008 = HTTP service (possibly Chromecast or Google Home-related).

8009/tcp open  ssl/castv2      Ninja Sphere Chromecast driver
|_ssl-date: TLS randomness does not represent time
Port 8009 = Chromecast communication
TLS issue: Certificate doesn’t match a valid date.

8443/tcp open  ssl/https-alt?
|_http-title: Site doesn't have a title.
Port 8443 = HTTPS alternative port
🔹 Likely an encrypted web service.

9000/tcp open  ssl/cslistener?
Port 9000 = Unknown service (cslistener?).


**📌 Device 3: Nest-Audio.attlocal.net (192.168.1.95)**

Nmap scan report for Nest-Audio.attlocal.net (192.168.1.95)
Host is up (0.0069s latency).
✔ Device: Google Nest Audio
✔ IP Address: 192.168.1.95
✔ Host is online: ✅ (0.0069s response time)


Not shown: 994 closed tcp ports (conn-refused)
✔ 994 closed ports
✔ 6 open ports:

🚪 Open Ports and Services

8008/tcp  open  http?
|_http-title: Site doesn't have a title.
Port 8008 = Likely Google Home Web Interface

8009/tcp  open  ssl/ajp13?
| ssl-cert: Subject: commonName=11798fb2-fce0-f921-f25a-8534fc8d7616
| Not valid before: 2025-02-27T10:53:44
|_Not valid after:  2025-03-01T10:53:44
Port 8009 = Google Home communication.
SSL certificate only valid for a few days.

8443/tcp  open  ssl/https-alt?
Port 8443 = Encrypted HTTPS service.

9000/tcp  open  ssl/cslistener?
10001/tcp open  ssl/scp-config?
10002/tcp open  documentum?
Unknown services, possibly IoT-related.


**📌 Device 4: Stevens-Laptop.attlocal.net (192.168.1.148)**

Nmap scan report for Stevens-Laptop.attlocal.net (192.168.1.148)
Host is up (0.00014s latency).
✔ Device: Your MacBook
✔ IP Address: 192.168.1.148
✔ Host is online: ✅ (0.00014s response time)


Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
✔ 996 closed ports
✔ 4 open ports:

🚪 Open Ports and Services

88/tcp   open  tcpwrapped
Port 88 = Usually Kerberos authentication.

5000/tcp open  rtsp       AirTunes rtspd 775.3.1
Port 5000 = Apple’s streaming service.

5900/tcp open  vnc        Apple remote desktop vnc
| vnc-info: 
|   Protocol version: 3.889
|   Security types: 
|     Apple Remote Desktop (30)
|     Unknown security type (33)
|     Unknown security type (36)
|_    Mac OS X security type (35)
Port 5900 = VNC (Virtual Network Computing)
🔹 Remote desktop sharing is enabled.

7000/tcp open  rtsp       AirTunes rtspd 775.3.1
Port 7000 = Apple AirTunes streaming.


**📌 Device 5: dsldevice.attlocal.net (192.168.1.254) (Router)**

Nmap scan report for dsldevice.attlocal.net (192.168.1.254)
Host is up (0.0039s latency).
✔ Device: Your Router (Arris Group, Inc.)
✔ IP Address: 192.168.1.254


PORT    STATE    SERVICE  VERSION
53/tcp  open     domain   dnsmasq 2.89
Port 53 = DNS service for resolving domain names.

80/tcp  open     http     lighttpd 1.4.69
| http-title: Status
Port 80 = Router’s web interface.

443/tcp open     ssl/http lighttpd 1.4.69
Port 443 = HTTPS web interface.

#### **Section 1: Introduction to Nmap**
What is Nmap?
Nmap (Network Mapper) is an open-source network scanning tool used for discovering devices, scanning ports, and identifying services running on hosts. It is widely used by cybersecurity professionals, network administrators, and ethical hackers to map networks and assess security.

####. **🔹 What Can Nmap Do?**
Host Discovery: Find devices that are active on a network.
Port Scanning: Identify open ports on devices.
Service and Version Detection: Determine which services are running on open ports.
OS Detection: Guess the operating system of a device.
Vulnerability Scanning: Identify weak spots in a network.


**🔹 Why is Nmap Important?**
Helps assess network security by revealing open ports and services.
Aids in penetration testing by identifying potential vulnerabilities.
Allows network monitoring by mapping network devices and their activity.




#### **Section 2: Using Nmap in This Project**
Project Objective:
In this project, I used Nmap to scan a local network (192.168.1.0/24) to: 
1️⃣ Identify active devices on the network.
2️⃣ Detect open ports and services running on these devices.
3️⃣ Analyze the security implications of these findings.

**Nmap Command Used:**
nmap -A 192.168.1.0/24

**🔹 What This Command Does**
1️⃣ nmap
This is the base command that runs Nmap, the network scanning tool.
2️⃣ -A (Aggressive Scan Mode)
Enables advanced scanning features, including:
OS Detection: Tries to determine the operating system of the target.
Service Version Detection: Identifies software running on open ports.
Script Scanning: Runs some of Nmap's NSE (Nmap Scripting Engine) scripts to gather additional information.
Traceroute: Maps the network path to the target device.
3️⃣ 192.168.1.0/24 (Subnet to Scan)
This specifies the network range to be scanned.
/24 CIDR Notation means:
Scans all 256 IP addresses in the 192.168.1.x range (from 192.168.1.0 to 192.168.1.255).
Common in home and small office networks.

What Does /24 Mean in CIDR Notation?
In IPv4 addressing, an address consists of 32 bits, divided into four 8-bit octets:

Example: 192.168.1.0 → Binary Representation

192   .   168   .   1   .   0
11000000 . 10101000 . 00000001 . 00000000
The /24 means that 24 bits are dedicated to the network portion, and the remaining 8 bits are available for host addresses.

192.168.1.0/24
First 24 bits (network portion): 192.168.1
Last 8 bits (host portion): 0 to 255
Thus, this notation defines the entire range from 192.168.1.0 to 192.168.1.255, meaning: ✅ 256 total addresses (2⁸ = 256)
✅ First address (192.168.1.0) is the network ID (not assignable to a host)
✅ Last address (192.168.1.255) is the broadcast address (used for sending data to all devices on the subnet)
✅ Usable host IPs: 192.168.1.1 to 192.168.1.254 (254 available hosts)

🔹 Why is /24 Common in Home & Small Office Networks?
Allows for 254 usable hosts, which is enough for most home and small business networks.
Easy to manage—most consumer routers automatically assign IPs in this range.
Ensures proper segmentation—separates devices from the larger internet while allowing LAN communication.

🔹 Other Subnet Examples
CIDR Notation	Subnet Mask	        Total IPs	        Usable Hosts	Example Network Range
/30	             255.255.255.252	4	                2	            192.168.1.0 - 192.168.1.3
/29	             255.255.255.248	8	                6	            192.168.1.0 - 192.168.1.7
/28	             255.255.255.240	16	                14	            192.168.1.0 - 192.168.1.15
/27	             255.255.255.224	32	                30	            192.168.1.0 - 192.168.1.31
/24	             255.255.255.0	    256	                254	            192.168.1.0 - 192.168.1.255
/16	             255.255.0.0	    65,536	            65,534	        192.168.0.0 - 192.168.255.255
/8	             255.0.0.0	1       6.7 million	        16.7 million	10.0.0.0 - 10.255.255.255
📌 Summary
✅ CIDR Notation (/24) means the first 24 bits are reserved for the network and the last 8 bits are for hosts.
✅ 192.168.1.0/24 scans 256 total IPs (192.168.1.0 - 192.168.1.255).
✅ Common in home and small office networks because it allows for 254 usable host addresses.
✅ Understanding CIDR and subnet masks is essential for networking and cybersecurity roles.



**📌 Section 3: Results & Interpretation**
The scan revealed 6 active devices on the network. Below is a summary:

Device	             IP Address	           Open Ports	                      Services Detected

iPhone	             192.168.1.78	        62078	                           Apple sync service (tcp wrapped)
Google Chromecast	 192.168.1.85	        80, 7000, 8008, 8009, 8443, 9000   HTTP, SSL, Chromecast services
Google Nest Audio	 192.168.1.95	        8008, 8009, 8443, 9000	           Chromecast services
My MacBook	         192.168.1.148	        88, 5000, 5900, 7000	           Apple Remote Desktop (VNC), AirTunes
Unknown Device	     192.168.1.180	        No open ports	                   Possible firewall or offline
Router (DSL Modem)	 192.168.1.254	        53, 80, 443	DNS                    Web Admin Panel, HTTPS


**🔍 Key Findings**

⚠️ Open VNC Port (5900) on MacBook:
Risk: Allows remote access to the system.
Solution: Disable Remote Management in System Settings > Sharing unless needed.

⚠️ Router’s Open Web Admin Panel (80, 443)
Risk: If default credentials are weak, the router can be accessed.
Solution: Log in to https://192.168.1.254 and ensure strong passwords & firmware updates are in place.



📌 Section 4: Where to Go Next with Nmap?
Now that I have basic network reconnaissance data, I can expand my cybersecurity lab with new Nmap-based projects.

🔹 Other Nmap Use Cases for Future Labs
1 Deep Scan a Specific Device
Now that we know our MacBook has open VNC ports, we can scan only our MacBook for a more detailed vulnerability assessment:


nmap -p- -A 192.168.1.148
-p-: Scans all 65,535 ports (instead of just common ones).
-A: Enables OS and service detection.


2️⃣ Running a Stealth Scan to Avoid Detection
In real-world penetration testing, attackers often use stealthy scans to avoid detection by firewalls.
We can use Nmap’s "SYN Scan":


nmap -sS -A 192.168.1.148
-sS: Performs a stealth SYN scan instead of a full connection scan.
Why? This scan is less detectable by intrusion detection systems (IDS).


3️⃣ Checking for Vulnerable Services with Nmap Scripting Engine (NSE)
Nmap has built-in vulnerability scripts.
For example, we can scan for vulnerabilities in HTTP services:


nmap --script vuln -p 80,443 192.168.1.254
--script vuln: Runs vulnerability checks against ports 80 (HTTP) and 443 (HTTPS).


4️⃣ Automating Scans with a Python Script
To automate network scanning, we can write a simple Python script to run Nmap:


import nmap

scanner = nmap.PortScanner()
ip_target = "192.168.1.0/24"

print(f"Scanning network {ip_target}...")
scanner.scan(hosts=ip_target, arguments="-A")

for host in scanner.all_hosts():
    print(f"\nHost: {host} ({scanner[host].hostname()})")
    print(f"State: {scanner[host].state()}")

    for proto in scanner[host].all_protocols():
        print(f"Protocol: {proto}")
        ports = scanner[host][proto].keys()
        for port in ports:
            print(f"Port: {port} | State: {scanner[host][proto][port]['state']}")
Uses the Nmap Python library (python-nmap).
Automates scanning entire subnets.


**📌 Section 5: Conclusion:**

Learned about Nmap and its capabilities.
Ran a network scan on a local network.
Interpreted the results and identified security risks.
Explored ways to expand our cybersecurity labs.