Nmap & TShark: Windows 7 Service Discovery Lab

Progressively discover, enumerate, and confirm services on a Windows 7 target using Nmap and TShark from Kali Linux. Enter your IP addresses below and all commands will be generated for your environment.

Lab Objectives

Run ifconfig / ip addr to find your Kali Linux IP address and network interface.
Perform a ping sweep to discover live hosts on the lab network.
Select a Windows 7 target and scan for all open TCP ports.
Identify confirmed services and versions running on each open port.
Use TShark alongside Nmap to observe the scan traffic at the packet level.

Prerequisites

Kali Linux VM with Nmap and TShark installed (both are pre-installed on Kali).
A Windows 7 VM on the same network segment (host-only or internal network recommended).
Both VMs must be able to ping each other before starting.
Root or sudo access on the Kali VM for privileged scan types.

Important: Only scan systems you own or have explicit written permission to test. This lab must be performed in an isolated virtual environment.

Step 0: Find Your Kali IP Address

Open a terminal on your Kali Linux VM and run one of these commands to find your IP address and network interface:

ifconfig

Look for your active interface (usually eth0 or ens33). Find the inet value — that is your IP address.

ip addr show

Alternative command. Look for the line with inet under your active interface.

Example ifconfig output:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.10  netmask 255.255.255.0  broadcast 192.168.56.255
        ether 08:00:27:aa:bb:cc  txqueuelen 1000  (Ethernet)

In this example, the IP is 192.168.56.10 and the interface is eth0.

Enter your details below to generate all lab commands:

Your Kali IP Address

Network InterfaceSelect the interface shown in ifconfig.

Phase 1: Host Discovery (Ping Sweep)

Enter your Kali IP address above to generate these commands.

Before scanning ports, discover which hosts are alive on the network. The -sn flag tells Nmap to skip port scanning and only check if hosts respond.

Step 1: Run a ping sweep of your entire subnet:

sudo nmap -sn <your_subnet>

This sends ARP requests to every IP on your subnet. Hosts that reply are alive. Note the IP addresses and MAC addresses of every host that responds.

Step 2: In a second terminal, capture the sweep traffic with TShark:

sudo tshark -i eth0 -f "net <your_subnet>" -c 50

You should see ARP requests for each IP on the subnet. Hosts that reply with ARP responses are alive. Compare this with the Nmap output.

Step 3: Review the Nmap output:

Nmap scan report for 192.168.56.1
Host is up (0.00045s latency).
MAC Address: 0A:00:27:00:00:00 (VirtualBox)

Nmap scan report for 192.168.56.20
Host is up (0.00089s latency).
MAC Address: 08:00:27:XX:XX:XX (PCS Systemtechnik/VirtualBox)

Nmap done: 256 IP addresses (3 hosts up)

Identify which host is the Windows 7 target. Note its IP address — you will enter it below.

Record in your lab notebook:

Total number of live hosts discovered.
IP and MAC address of each live host.
Which host is the Windows 7 target.

Select Your Target

From the ping sweep results above, identify the Windows 7 target and enter its IP address. All remaining commands will be generated for this target.

Windows 7 Target IP Address

Phase 2: Full Port Scan

Complete Phase 1 and enter your target IP above to generate these commands.

Scan all 65,535 TCP ports on the target to find every open port. This is a SYN scan (half-open) which is fast and does not complete the TCP handshake.

Step 1: Start TShark to observe the SYN scan traffic:

sudo tshark -i eth0 -f "host <target_ip>" -Y "tcp.flags.syn==1 && tcp.flags.ack==0" -c 200

This captures only SYN packets sent to the target, showing you each port probe as it happens.

Step 2: In another terminal, run the full TCP SYN scan:

sudo nmap -sS -p- <target_ip>

-sS performs a SYN scan. -p- scans all 65,535 ports. Open ports reply with SYN/ACK; closed ports reply with RST. This scan may take 1–3 minutes.

Step 3: Review the Nmap output:

PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown

The SERVICE column is just a guess based on the port number. We will confirm the actual services in Phase 3.

Step 4: Check the TShark output for the SYN scan pattern:

192.168.56.10 → 192.168.56.20 TCP 54 43210 → 135 [SYN]
192.168.56.20 → 192.168.56.10 TCP 58 135 → 43210 [SYN, ACK]
192.168.56.10 → 192.168.56.20 TCP 54 43210 → 135 [RST]

SYN → SYN/ACK → RST is the half-open pattern. SYN/ACK confirms port 135 is open. Nmap sends RST to close without completing the handshake.

Record in your lab notebook:

Complete list of open TCP ports.
The number of closed and filtered ports reported.
Total scan duration.

Phase 3: Service and Version Detection

Complete Phase 2 and enter your target IP to generate these commands.

The port scan told you which ports are open, but the service names were just guesses. Now probe each open port to confirm exactly what service and version is running.

Step 1: Start TShark to observe the service probes:

sudo tshark -i eth0 -f "host <target_ip>" -Y "tcp.flags.syn==1 && tcp.flags.ack==1" -c 50

This captures SYN/ACK responses to see which ports the target confirms as open during the version scan.

Step 2: Run Nmap with service version detection on your open ports:

sudo nmap -sV -p 135,139,445,49152-49157 <target_ip>

-sV probes each port with protocol-specific requests to identify the actual service and version. Only scanning known open ports makes this much faster.

Step 3: Review the confirmed services:

PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows 7 - 10 microsoft-ds
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49156/tcp open  msrpc              Microsoft Windows RPC
49157/tcp open  msrpc              Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

The VERSION column now shows confirmed results from actual protocol interaction. The high ports are confirmed as Microsoft Windows RPC endpoints, not "unknown".

Step 4: Use TShark to inspect an SMB probe in detail:

sudo tshark -i eth0 -f "host <target_ip> and port 445" -c 20 -V | head -80

-V shows full packet dissection. For port 445 (SMB), you should see SMB negotiation packets that Nmap uses to fingerprint the service version.

Record in your lab notebook:

The confirmed service name and version for each open port.
The operating system identified by the Service Info line.
Any differences between the Phase 2 guesses and the confirmed services.

Phase 4: Save and Export Results

Complete Phase 3 to generate export commands.

Save all scan results in multiple formats for documentation and further analysis.

Step 1: Run a final combined scan saving output in all formats:

sudo nmap -sS -sV -p 135,139,445,49152-49157 -oA win7-scan <target_ip>

-oA saves in three formats: normal (.nmap), grepable (.gnmap), and XML (.xml).

Step 2: Save a TShark capture of the scan as a PCAP:

sudo tshark -i eth0 -f "host <target_ip>" -w win7-scan.pcap -a duration:60

Run this in one terminal, then start the Nmap scan in another. The PCAP can be opened in Wireshark for detailed analysis.

Step 3: Verify your saved files:

ls -la win7-scan.*

You should have win7-scan.nmap, win7-scan.gnmap, win7-scan.xml, and win7-scan.pcap.

Step 4: View the grepable output:

grep "open" win7-scan.gnmap

The grepable format shows all open ports for each host on a single line — useful for scripting and quick reviews.

Record in your lab notebook:

All four output files saved to your working directory.
A screenshot of the grepable output showing all open ports.

Windows 7 Default Services Reference

These are the services you should expect to find on a default Windows 7 installation. Compare your scan results against this table.

Port	Service	Full Name	Purpose	Security Note
`135/tcp`	msrpc	Microsoft RPC Endpoint Mapper	Maps RPC service UUIDs to network endpoints. Required for DCOM and many Windows management tools.	Frequently targeted for remote code execution. Should not be exposed to untrusted networks.
`139/tcp`	netbios-ssn	NetBIOS Session Service	Provides file and printer sharing over NetBIOS. Legacy protocol still active on Windows 7.	Used by older SMB versions. Should be disabled if SMBv2/v3 over port 445 is available.
`445/tcp`	microsoft-ds	SMB (Server Message Block)	File sharing, printer sharing, and inter-process communication. Primary Windows file sharing protocol.	Target of EternalBlue (MS17-010) and many other exploits. Windows 7 is particularly vulnerable if unpatched.
`49152-49157/tcp`	msrpc	Dynamic RPC Endpoints	Windows dynamically assigns these ports for RPC services including Task Scheduler, Event Log, and other system services.	Normal Windows behaviour. The specific services can be identified with more detailed RPC enumeration.

Deliverables

Screenshot of ifconfig showing your Kali IP address.
Screenshot of the -sn ping sweep showing discovered hosts.
Screenshot of the full port scan (-sS -p-) results listing all open ports.
Screenshot of the service version scan (-sV) with confirmed services and versions.
TShark output showing the SYN scan pattern (SYN → SYN/ACK → RST).
All four export files: .nmap, .gnmap, .xml, and .pcap.
A completed service table mapping each open port to its confirmed service, version, and purpose.

Your Lab Config

Kali IP: not set
Interface: eth0
Subnet: not set
Target IP: not set
Open Ports: pending scan

Scan Methodology

Find your IP: ifconfig
Know your own address first.
Discover: nmap -sn
Find live hosts on the network.
Enumerate: nmap -sS -p-
Find all open ports on the target.
Identify: nmap -sV
Confirm services and versions.
Export: nmap -oA
Save results for reporting.

Nmap Flags Used

-sn — Ping scan only, no port scan.
-sS — TCP SYN (half-open) scan.
-sV — Service version detection.
-p- — Scan all 65,535 TCP ports.
-p 135,139,445 — Scan specific ports.
-oA name — Save in all output formats.

TShark Flags Used

-i eth0 — Capture on interface.
-f "filter" — BPF capture filter.
-Y "filter" — Display filter.
-c 50 — Stop after 50 packets.
-w file.pcap — Write to PCAP.
-V — Full packet dissection.
-a duration:60 — Stop after 60s.

SYN Scan Explained

Open port:
Scanner → SYN
Target → SYN/ACK
Scanner → RST
Closed port:
Scanner → SYN
Target → RST
Filtered port:
Scanner → SYN
Target → (no response)

CySA+ Exam Alignment

Domain 1: Security Operations
Objective 1.3: Use appropriate tools to determine malicious activity.
Tools: Nmap, TShark, packet analysis