Host Discovery
Mainly notes from TryHackMe: Nmap Live Host Discovery Update: 2022
Several protocols can be used to discover live hosts on a network such as
ARP
ICMP
TCP/UDP
Specifying ports
Different notations can be used when specifying hosts to nmap
Enumerating Targets
This command lists all IP addresses that will be scan by nmap for the range specified (notation CIDR). The -n
flag will prevent nmap to perform a DNS resolution.
ARP requests
It is possible to use the ARP protocol to discover lived hosts in a subnet. When receiving an ARP request, lived hosts should reply with an ARP response that include the MAC address of the device. Due to the fact that ARP is a linked-layer protocol, an ARP request can only join devices that are on the same subnet as the tester.
We can not use ARP requests to determine lived host in external subnets. ARP packets are not routed between subnets since it is a linked-layer protocol.
Did you know that?
A ping request is always preceded by an ARP exchange.
Useful switch for nmap
Switch | Description |
---|---|
| List the hosts to be scan (without performing a scan - but perform DNS resolution) |
| Do not perform DNS resolution |
| Provide a list of hosts from a document |
| Scanning using a specific interface |
| Do not send ICMP requests (only ARP) |
| Do not perform ports scanning. Useful if we only want to list all lived hosts. |
Some devices may not respond to Ping requests or the ICMP requests may be simply blocked by a firewall. Thus, a scan with the -PR
switch can reveals live hosts that won't be flagged otherwise.
Command to perform a live host scanning based on ARP requests, excluding ICMP requests using nmap.
arp-scan
Description: ARP-Scan is tool to identify live hosts in a network using the ARP protocol.
The switch -I
can be used to specify an interface and the switch -l
is to send an ARP request to all valid IPs in the network we are in.
ICMP requests
By default Nmap send ICMP requests (ping) to perform lived hosts scan. Although behind the scene an ARP exchange preceded any Ping requests routers are able to route the Ping requests across subnets.
The disadvantage of using Ping echo requests is that it is not really reliable since a lot of firewalls block the ICMP echo.
Flag | Description |
---|---|
| ICMP echo requests |
| ICMP Timestamp requests |
| ICMP Address Mask |
Example of a host discovery scan using the ICMP echo requests:
To the command above, lived hosts will respond with an ICMP response if the ICMP traffic is not blocked by the firewall.
Below is the output scan of an host discovery scan using ping echo requests. The MAC address of lived hosts can be observed. This is because due to the fact that each ICMP request is preceded by ARP exchange. Thus, when the lived hosts are in the same subnet as the tester, the state of the hosts can be determined only using the ARP exchange.
However, when lived hosts are in another subnet, it won't be possible to get the MAC address of these hosts because ARP packets are not routed.
Alternative
It is also possible to try a host scan using ICMP protocol using the ICMP Timestamp requests (-PP
) and ICMP Address mask requests (-PM
), in cases that ICMP echo requests (-PE
) are blocked by the firewall.
TCP & UDP requests
TCP packets can be sent to perform a Host Discovery scan by setting the SYN or ACK flag to sent packets.
TCP ping SYN scan
We expect lived hosts to respond with a TCP SYN-ACK response. The command below will perform a TCP SYN scan by reaching ports 22, 80, and 443. We can specify the ports we want to reach after the flag -PS. By default, Nmap try to reach port 80.
For TCP ping SYN scan, the tester needs sudoers rights or to be root to avoid completing the full 3-way handshake.
TCP ping ACK scan
We expect that lived hosts respond with a RST response. The command below will perform a TCP ACK scan by reaching port 21 to 25.
A TCP ping ACK scan can only be performed with a privileged user.
UDP
We can expect a response from sending an UDP packet to a closed UDP ports (port unreachable). Having a response that the port is unreachable is a sign that the host is online. However, having no response could means that the UDP packet reached an open UDP ports or that we reached an offline host. Behind the scene Nmap sends UDP packets to uncommon UDP ports to try to get a reply back from the targeted hosts.
Masscan
Masscan is an aggressive but very fast tool to scan network effectively.
DNS query options
By default, Nmap perform reverse DNS query when scanning.
Command | Description |
---|---|
| Do not perform any reverse DNS query on lived hosts. By default, Nmap will perform a reverse DNS query. |
| Perform DNS query for offline and online hosts |
| Specifying DNS server |
Services grabbing
nmap smb vulnerability scanning
Scan for common vulnerability in smb share
nmap vulnerability scanning
Tip: When the services does not appear when scanning we can try to set the variable totalwaitms
to a higher value such as 20000. This variable can be modified in /usr/share/nmap/nmap-service-probes
nmap through proxychains
When using nmap through proxychains two flags are super important
-sT
: TCP connect port scan (no SYN scan)
-Pn
: disable Host Discovery
Scan 1: What ports are open on the target system
Scan 2: Proceed to a deeper nmap scan
Proceed to a deeper nmap scan only on ports open. Use the -sC
switch to use default nmap scripts.
Debug
I have encountered this error once "Could not find interface wlan1 which was specified by -e".
Solution: I requested an IP address for wlan1 via dhclient.
Last updated