 =========================================================
 📌 Project: Nmap Web Server Detection & Monitoring
# =========================================================
# ✅ Automated Nmap scanning & logging
# ✅ Detecting & tracking changes in open ports
# ✅ Enumerating web files using `http-enum`
# ✅ Step-by-step execution in Jupyter Notebook

"""
# **Nmap Web Server Detection & Monitoring (Jupyter Notebook Version)**

## **📌 Introduction**
This project explores **network service detection and monitoring** using **Nmap** and **Python automation** in a **Jupyter Notebook environment**.

By setting up a **local web server** on a **MacBook**, we simulate real-world scenarios involving:
- **Network scanning & port enumeration**.
- **Detecting and monitoring changes in network services**.
- **Security misconfiguration testing** using `http-enum`.
- **Tracking changes over time using automated file logging**.
- **Serving an HTML file (`index.html`) and detecting it with Nmap**.
- **Ensuring the HTML file remains accessible after port changes**.
- **Interactive execution with Jupyter Notebook**, allowing **manual modifications** while **automating scanning & comparison**.

**Project Set-Up ::Establishing Variables and Functions for Automated Nmap Scanning**

## **📌  Project Plan**
 **Baseline scan**: Identify current open ports **before starting** the web server.
2 **Start a Python-based web server** on **port 8000**.
 **Serve an HTML file & detect it with Nmap**.
 **Modify the web server port (8080) & track changes**.
 **Simulate a security misconfiguration (directory listing)**.
 **Stop the web server & confirm removal with Nmap**.

### **📌 How to Use This Notebook**
- **Follow the steps manually where needed** (e.g., starting/stopping the server).
- **Run each cell in sequence** to scan and track network changes.
"""


## 🔹 Establishing Variables and Functions for Automated Nmap Scanning

Before running any scans, we first **set up key variables and functions** to automate the process of **running Nmap scans and comparing results over time**.

### **🔹 What This Code Does:**
- **Defines the target IP address** (`192.168.1.148`) for scanning.
- **Generates timestamped filenames** to store scan results for tracking changes.
- **Creates two key functions:**
  - `run_nmap_scan(target_ip, output_file)`: Runs an Nmap scan and saves the output.
  - `compare_scans(file1, file2)`: Compares two scan outputs to detect changes in network services.

These functions allow us to **run scans systematically, store results, and analyze changes in open ports and services over time.** This setup ensures an **automated approach** to tracking network security.

⬇️ **Next, we define these functions and prepare for our first baseline scan.**


In [15]:
import os
import datetime

# Set target IP (Replace with actual IP of the MacBook)
TARGET_IP = "192.168.1.148"

# Generate timestamped filenames for scan tracking
timestamp = datetime.datetime.now().strftime("%Y-%m-%d_%H-%M-%S")
baseline_scan = f"nmap_baseline_scan_{timestamp}.txt"
server_scan = f"nmap_server_scan_{timestamp}.txt"
modified_scan = f"nmap_modified_scan_{timestamp}.txt"
final_scan = f"nmap_final_scan_{timestamp}.txt"
diff_report = f"nmap_diff_report_{timestamp}.txt"

def run_nmap_scan(output_file):
    """Runs an Nmap scan using Jupyter's shell execution (!) instead of os.system()."""
    command = f"!nmap -sV -T4 {TARGET_IP} | tee {output_file}"
    print(f"[+] Running command: {command}")  # Debugging
    exec(command)  # Executes the command within Jupyter
    print(f"[+] Scan complete. Results saved to {output_file}")

def compare_scans(file1, file2, diff_output):
    """Compares two scan results and logs differences."""
    os.system(f"diff {file1} {file2} > {diff_output}")
    print(f"[+] Differences saved in {diff_output}")

print("[+] Setup complete! You can now proceed with the project.")


[+] Setup complete! You can now proceed with the project.


##  Running the Baseline Nmap Scan  

With our scanning functions in place, we now **run the first Nmap scan** to establish a **baseline of open ports and services** before starting the web server.

### **🔹 Purpose of This Scan:**
- Captures the **current state of open ports** on the target (`192.168.1.148`).
- Saves the results to a **timestamped file** for future comparison.
- Helps identify **any pre-existing network services** before modifications.

⬇️ **Next, we execute the scan and store the results for later analysis.**


In [16]:
run_nmap_scan("nmap_baseline_scan.txt")


[+] Running command: !nmap -sV -T4 192.168.1.148 | tee nmap_baseline_scan.txt


SyntaxError: invalid syntax (<string>, line 1)

##  Starting a Python-Based Web Server on Port 8000  

To simulate a real-world scenario, we started a **local web server** on the MacBook using Python’s built-in HTTP server.

### **🔹 Actions Taken:**
1. **Launched the web server** from the Desktop folder using:
   ```bash
   python3 -m http.server 8000
   ```
2. **Verified access** by opening a web browser on the **MacBook** and navigating to:
   ```
   http://localhost:8000
   ```
3. **Tested access from an iPhone (or another device on the same network)** using:
   ```
   http://192.168.1.148:8000
   ```
4. **Confirmed that the server correctly displayed a directory listing** of the Desktop folder.

### **🔹 Key Observations:**
- The web server is **actively listening on port 8000**, making it accessible within the local network.
- The iPhone successfully connected, confirming that the MacBook’s **IP address (192.168.1.148)** is correct and that network access is working.
- This setup mimics how web servers are exposed to a network, making it useful for security testing.

⬇️ **Next, we will scan the web server using Nmap to detect its presence on the network.**


##  Scanning and Detecting the Web Server with Nmap  

Now that the Python web server is running on **port 8000**, we used Nmap to **verify its presence** and detect **any accessible content**.

### **🔹 Understanding the Scans Used**
#### **📌 Nmap Service Scan (`-sV`)**
The **Nmap Service Version scan (`-sV`)** identifies:
- **Open ports** and their **state** (open/closed/filtered).
- The **service running on each port** (e.g., HTTP, SSH, FTP).
- **Version detection** for known services.

✅ **Command Used:**
```bash
nmap -sV -T4 192.168.1.148
```
✅ **Results:**
- **Port 8000 detected as open**, confirming the web server is active.
- The service running is **SimpleHTTPServer 0.6 (Python 3.12.3)**.

---

#### **📌 Nmap HTTP Enumeration Scan (`--script=http-enum`)**
The **Nmap HTTP Enumeration scan (`http-enum`)** attempts to discover:
- **Common files and directories** on the web server.
- **Configuration files** (e.g., `.gitignore`, `.htaccess`).
- **Potential vulnerabilities** like unrestricted directory listing.

✅ **Command Used:**
```bash
nmap --script=http-enum -p 8000 192.168.1.148
```
✅ **Results:**
- **Detected `.gitignore` and `.git/HEAD`**, indicating a possible Git repository.
- **Discovered `/pictures/` directory**, which could contain accessible files.

---

### **🔹 Key Observations:**
- **The web server is accessible to any device on the local network** (but not the internet).
- **The presence of `.git` files could pose a security risk** if the server were public-facing.
- The `/pictures/` folder may contain sensitive images or data.

⬇️ **Next, we will create an `index.html` file in the server directory and rerun Nmap to see if it detects the new content.**


##  Creating `index.html` and Detecting It with Nmap  

### **📌 Summary of Findings**  
In this step, we created an `index.html` file on our local web server and attempted to detect it using Nmap scans. The results highlighted key insights into how **web servers expose files** and how **security tools like Nmap detect them**.

---

### **🔹 Actions Taken:**
1. **Created an `index.html` file on the server's root directory (`~/Desktop/index.html`).**
   - This file contains a simple "Welcome to My Local Web Server" message.

2. **Verified Accessibility via Web Browser:**
   - **MacBook:** Opened `http://localhost:8000/index.html`
   - **iPhone:** Accessed `http://192.168.1.148:8000/index.html`
   ✅ **Both successfully loaded the page.**

3. **Scanned the Web Server with Nmap (`http-enum` script).**
   - Expected to see `index.html` detected.
   - **Result:** `index.html` was NOT listed.

4. **Performed a More Detailed HTTP Headers Scan (`http-headers` script).**
   - **Confirmed that the server was responding to requests for `index.html`.**
   - Detected:  
     - `Server: SimpleHTTP/0.6 Python/3.12.3`
     - `Content-Type: text/html`
     - `Last-Modified` timestamp.

5. **Used `curl` to Manually Confirm the File’s Availability.**
   - **Received `HTTP/1.0 200 OK`**, proving that `index.html` is actively served.

---

### **🔹 Key Observations:**
✅ **Files served by a web server don’t always appear in directory listings.**  
✅ **Nmap’s `http-enum` script focuses on misconfigurations and common directories—it does NOT brute-force individual files.**  
✅ **The `http-headers` scan and `curl` confirmed that `index.html` is accessible and being actively served.**  
✅ **If an attacker were scanning this server, they would need to use additional tools (brute-force enumeration, automated crawlers) to discover hidden files.**  

---

### **📌 Next Step: Changing the Web Server’s Port & Monitoring Changes**  
Now that we’ve verified file serving behavior, we will:  
- **Stop the current server on port 8000.**  
- **Restart it on a different port (8080).**  
- **Run Nmap scans to see how port changes affect detection.**  


###  Modify the Web Server and Track Changes**  

#### **🔹 Objective:**  
The goal was to **modify the web server’s root directory** (the folder it serves files from) and observe how serving from different locations affects **Nmap scan results and exposed content**.  

---

### **🔧 Steps Taken:**
1. **Stopped the web server running on port `8000`.**  
2. **Restarted the web server on port `8080`, but in a new terminal session.**  
   - Since the terminal was now in `~/Users/steventuschman/`, the web server defaulted to serving files from there.  
   - ❌ **This unintentionally exposed multiple directories** (`/downloads/`, `/pictures/`, `/library/`).  
3. **Explicitly set the web server’s root directory to `~/WebServerTest`.**  
   - This ensured the server only served files from a **controlled** location.  
4. **Performed an Nmap scan** to analyze how changing the root directory affected exposure.  
5. **Compared new Nmap results with previous scans** to confirm that previously exposed directories were no longer visible.  

---

### **🔍 Observations & Key Findings:**
✅ **Before explicitly setting a directory:**  
- The web server **defaulted to the home directory (`~/Users/steventuschman/`)**, unintentionally exposing:  
  - `/downloads/`
  - `/library/`
  - `/pictures/`
  - `/public/`  

✅ **After setting the root directory to `~/WebServerTest`:**  
- The Nmap scan **no longer detected** previously exposed directories.  
- The web server was now **restricted to serving only files inside `~/WebServerTest`**, preventing access to personal folders.  

---

### **🎯 Why This Is Important:**
- **Avoiding Accidental Data Exposure** – Running a web server from the wrong directory can expose unintended files.  
- **Understanding Web Server Behavior** – This experiment highlights how simple misconfigurations **can create security risks**.  
- **Validating Security Fixes with Nmap** – We used **before-and-after scans** to confirm that the change successfully restricted access.  

---


### 📌 Additional Notes on Step 5: Modify the Web Server and Track Changes  

#### **🔹 Objective:**  
The goal was to **modify the web server’s root directory** (the folder it serves files from) and observe how serving from different locations affects **Nmap scan results and exposed content**.  

---

### **🔧 Steps Taken:**
1. **Stopped the web server running on port `8000`.**  
2. **Restarted the web server on port `8080`, but in a new terminal session.**  
   - Since the terminal was now in `~/Users/steventuschman/`, the web server defaulted to serving files from there.  
   - ❌ **This unintentionally exposed multiple directories** (`/downloads/`, `/pictures/`, `/library/`).  
3. **Created a new dedicated folder (`~/WebServerTest`) to serve files from instead.**  
   - This ensured the server only served files from a **controlled** location.  
   - WebServerTest **did not exist before**—we manually created it during this step.  
4. **Performed an Nmap scan** to analyze how changing the root directory affected exposure.  
5. **Compared new Nmap results with previous scans** to confirm that previously exposed directories were no longer visible.  

---




## **🔹 Completing the Project: Stopping the Web Server & Final Scan**

### **✅ Stopping the Web Server**
To complete this project, we **stopped the running web server** to confirm its removal from the network.

**Steps Taken:**
1. **Identified the running web server process** using:
   ```bash
   lsof -i :8080



---


## **📌 Project Conclusion: Nmap Web Server Detection & Monitoring**

This project successfully demonstrated **network scanning, web server enumeration, and security analysis** using **Nmap** and a **Python-based HTTP server**. Through a structured series of steps, we explored how Nmap detects network services, tracks changes, and identifies potential security misconfigurations.

---

## **🔍 Key Findings & Takeaways**

### **✅ 1. Nmap for Network Scanning & Service Detection**
- **Baseline scan:** Before starting the web server, we used `nmap -sV` to establish which network services were already running.
- **Detecting an active web server:** After launching a Python HTTP server, we confirmed its presence on **port 8000** using Nmap.
- **Tracking changes:** When we later changed the port to **8080**, Nmap scans revealed how service detection is affected by port modifications.

### **✅ 2. Web Content Enumeration & Security Risks**
- **Used `http-enum` to identify exposed files and directories.**
- **Verified that files and directories were publicly accessible** if no access restrictions were in place.
- **Key finding:** The web server initially exposed unintended directories due to improper configuration. This was later corrected by explicitly setting a restricted directory (`~/WebServerTest`).

### **✅ 3. Modifying the Web Server & Observing Impact**
- **Port modification:** We changed the web server port from **8000 to 8080** and observed how it affected visibility in Nmap scans.
- **Root directory modification:** Initially, the server **unintentionally served the entire home directory**, exposing personal files.
- **Security fix:** We **explicitly set a dedicated directory (`~/WebServerTest`)** to prevent unintended exposure. Nmap scans confirmed that previously exposed directories were no longer visible.

### **✅ 4. Stopping the Web Server & Validating Removal**
- **Killed the running web server process.**
- **Confirmed with Nmap that port 8080 was now closed**, proving the server was no longer active.

---

## **🎯 Lessons Learned**
- **Nmap is a powerful tool** for detecting open ports, running services, and identifying potential misconfigurations.
- **Improperly configured web servers can expose unintended files**, making security scanning essential.
- **Restricting the web server’s root directory** is a simple but critical security measure.
- **Monitoring open ports over time** helps track potential unauthorized changes or exposures.

This project provided a hands-on experience in **real-world network security monitoring**, demonstrating how even a simple web server can introduce security risks if not properly configured.
