Ethical Hacking Series: 2.Interpreting Security Tool Outputs(Nmap Scan analysis And Live Traffic Analysis with Wireshark)

Share At:

Ethical Hacking Tutorial for Beginners | Fundamentals of Ethical Hacking


Security tools greatly simplify the task of assessing the security of our environments. However, there is still room for interpretation of reported results and analysis of data. In this Lab, we will use two popular security tools and learn how to understand more about what the tools are doing and how to interpret their results.

we will use Kali Linux as the security platform. we will scan a vulnerable host on the local network and analyze live traffic. The local network for this Lab is contained within a Hyper-V virtual environment. The hosts on the network consist of a variety of Linux and Windows hosts.

Lab Objectives

Upon completion of this Lab we will be able to:

  • Perform fast and full port scans of targets using Nmap
  • Understand the steps Nmap takes in performing scans
  • Analyze network traffic using Wireshark
  • Use Wireshark to understand how security tools communicate over the network

Interpreting the Output of a Fast Mode Nmap Scan


When we have identified a target host for performing a security assessment we can use security tools to perform thorough analyses for vulnerabilities. This Lab Step uses Nmap to perform a fast mode port scan of a target. we will target the Metasploitable 2 VM for the scan in this Lab Step. The Metasploitable 2 VM is created from an image that is highly vulnerable to exploits and has the IP address of in the local network. Many services are running on the Metasploitable 2 VM and many ports are open.

In this lab we are using Kali Linux as our host machine. Open a terminal to execute commands as mentioned below:

  1. At the prompt type the following command and press enter to perform a fast mode scan with nmap:
nmap -f

The -f option specifies to use a fast mode scan. A fast mode scan checks for ports used by common services rather than checking all possible port numbers. Because only 100 ports are checked it is much faster than a complete port scan. The scan discovers 18 open ports and lists the service that is associated with the port. The listed services are only what is most commonly associated with the given port. For example, 80/tcp is most commonly associated with http although a different service may actually be configured to use that port.

To determine what service and version are using ports, Nmap provides options to attempt to discover the actual service and version running behind a port. For an initial assessment and for this Lab, the more thorough service and version detection are not required.


In this Lab Step, we performed a fast mode Nmap port scan on a highly vulnerable target host. We observed that the fast mode scan found 18 open ports on the target. This is a large attack surface suggesting the target is vulnerable to attacks. If you identified such a large number of exposed ports on your own hosts, you should take inventory of what is essential and what can be closed.

Interpreting the Output of a Full Nmap Scan


In comparison to the fast mode option for port scanning with Nmap, we can specify a range of ports or scan all available ports. In this Lab Step, we will perform a full scan of all available ports on a target. Once again, we will target the Metasploitable 2 VM. This time we will learn more about what Nmap is doing to perform the scan.


1. Perform a full scan by providing the -p - option and include verbose output (-v):

nmap -v -p -

The -p option allows us to specify which ports to scan. The - after -p represents the full port range. The output begins similar to the following:

The command begins by Initiating ARP Ping Scan to discover the host on the local network.

Next, Nmap performs a reverse DNS resolution to try to extract identifying information about the target. The function of a host is commonly included in DNS names, such as including dev in the DNS name of a development server or fw in a host used as a firewall. In this case, the reverse DNS lookup does not provide any information.

Then Nmap continues by Initiating SYN Stealth Scan. In the TCP protocol a client sends a SYN packet is the initial packet that is sent to establish a connection with a server. If the server is listening on the port, it replies with a SYN-ACK packet to the client. To complete the connection, the client sends an ACK packet to establish the connection. However, Nmap never replies with ACK packets, so no TCP connection is ever established. Instead, an RST (reset) packet is sent to abandon the connection establishment. This is why it is referred to as a Stealth scan.

After around 5 minutes, the full scan completes and you see a summary similar to the fast mode scan:

The output shows Nmap discovers 30 ports compared to 18 with the fast mode scan. Some examples of ports not checked with the fast mode scan but that are discovered by the full scan are 512/tcp exec and 1099/tcp rmiregistry. When performing an inventory of your hosts it is worth performing more thorough scans since a motivated attacker would consider search for any vulnerability they could find. Nmap does support some timing templates to increase the speed of scans, although you may lose result accuracy if you use a timing template that your network cannot support.


In this Lab Step, we used Nmap to perform a full scan of a target. we also learned how Nmap uses the TCP connection protocol to stealthily discover which ports are open.

Interpreting Live Traffic Analysis with Wireshark


Another technique for assessing the security of a host is to analyze traffic flowing into and out of the host. A popular tool for analysis of network traffic is Wireshark. Wireshark is free to use and runs on a variety of operating systems. Wireshark captures and records packets being transmitted and received from selected network interfaces of a host. You can then analyze the captured traffic by filtering and inspecting packets using the graphical user interface. To get the most benefit from this type of security analysis, you should understand the communication protocols and what type of traffic is expected. A basic example of how you can use Wireshark in assessing your security is to capture traffic while you log into an application and then confirm that your account credentials are not visible in the captured traffic.

In this Lab Step, you will use Wireshark to analyze and ARP scan of the local network.


1. In your terminal enter the following to start Wireshark:

wireshark &

The & starts Wireshark in the background so that you can continue to use the terminal while Wireshark is running.

This image has an empty alt attribute; its file name is Capture-2-4.png

2. In the Wireshark window, double-click eth0 from the list of interfaces to select it for analysis:

The eth0 interface is the ethernet interface for the VM. All network traffic going outside the instance will traverse eth0.

3. In the terminal window, enter the following to generate some traffic for Wireshark to capture:

arp-scan --localnet

4. Enter arp in the display filter bar to display on ARP protocol traffic:


4. Maximize the Wireshark window and scroll to the top of the packet table at the top:


Wireshark has captured all of the ARP packets that are sent by the arp-scan command. To discover hosts on the local network, arp-scan sends Who has requests to every IP in the local network address space ( – The Info column presents summaries of the requests in English. Notice the Destination column says Broadcast for the ARP request. All interfaces on the network receive broadcast requests. This enables host discovery since if there is a host on the network with the requested IP it can respond to the request to identify itself.

5. Scroll through the packets and select the one that says is at… in the Info column:


This is a response to one of the ARP requests that asks who has

6. In the packet details pane immediately below the packet table, click the triangle to the left of Address Resolution Protocol to expand the section:


Wireshark understands the ARP protocol and displays the packet data in an easy to understand format. The data clearly shows the Target IP address and corresponding Target MAC address. The ARP protocol is used for determining the data link layer address (MAC address) of a given IPv4 address.


In this Lab Step, we used Wireshark to capture and analyze the traffic of a host. Specifically, we captured the traffic generated by an ARP scan and analyzed the traffic to understand what requests and responses are generated by the ARP scan.

Happy Learning !!

Share At:
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Back To Top

Contact Us