In part two of the "Nmap: Scan All the Things" Nmap series, I will try to provide a comprehensive overview of Nmap and its capabilities. I will cover what Nmap's host discovery is. Additionally, I will also discuss the Nmap host discovery specifications. I will also include DNS resolution features and finally the host discovery capabilities of Nmap. If you're interested in cybersecurity, please regularly check back on Cyb3r-S3c and check out my YouTube channel, Cyb3r_0verWatch, for more informative content. You can also watch my YouTube video on the same subject (https://youtu.be/tTNDWdw5hmQ) . I am currently in the process of documenting part three, with part four in the works.
Nmap Host Discovery aka Ping Scanning
To conduct effective network reconnaissance, it's crucial to narrow down the list of IP ranges to a set of active or interesting hosts, rather than scanning every port of every IP address. Depending on the purpose of the scan, what makes a host interesting varies greatly. For instance, network administrators may be interested in hosts running specific services, while security auditors may care about every device with an IP address. The method of host discovery also varies, with some admins only using ICMP ping to locate hosts, while pentesters may use a variety of probes to evade firewall restrictions.
Nmap offers a range of options for customizing the host discovery process to accommodate these diverse needs. Users can skip the ping step entirely with a list scan (-sL) or by disabling ping (-Pn), or employ various combinations of multi-port TCP SYN/ACK, UDP, and ICMP probes to elicit responses that show that an IP is alive and being used by a host or network device. Host discovery can be invaluable in locating target hosts in a sea of sparsely allocated IP addresses, such as in private address space like 10.0.0.0/8, where only a small percentage of IPs are usually active at any given time. Before using Nmap, it's essential to have a good understanding of the different host discovery options and their impact on the scan process.
Host Specifications
Nmap provides a flexible command-line interface for specifying target hosts. To scan a range of IP addresses while excluding certain addresses, Nmap supports octet range addressing. You can use a comma-separated list of numbers or ranges for each octet. Nmap can accept multiple host specifications on the command line, and they don't need to be the same type. IPv6 addresses must be specified by their fully qualified IPv6 address or hostname, as CIDR and octet ranges are rarely useful for IPv6. Host specifiers include:
Hostname, IPv4, and IPv6
IPv4 CIDR Notation
IPv4 Range
IPv4 Range Mix
-iL List of specific IP's to scan
-iR Random number of targets
Examples:
IP or Hostname = <192.68.1.1> or <host.example.com>
IP or Hostname/CIDRbit = <192.68.1.1/24> or <host.example.com/24>
IP Range = <192.68.1.1-254>
IP Range Mix = <192.168.1-9,2.1>
List = -iL <location of file>
DNS Resolution
One useful source of information is DNS, or the domain name system, which can provide valuable insights into the function and location of hosts. As an example, it's common to see wireless access points named "wap" or "wireless," firewalls named "fw," "firewall," or "fw-1," and development web servers with not-yet-published content named "dev," "staging," "www-int," or "beta."
Nmap performs reverse-DNS resolution by default for every IP that responds to host discovery probes. Unlike slow standard DNS resolution libraries, Nmap uses a custom stub resolver that can perform dozens of requests in parallel. This means that if a host is online, Nmap will attempt to resolve its DNS name. If host discovery is skipped using the -Pn option, Nmap will perform DNS resolution for all IPs.
Nmap offers four options available to further control DNS resolution in the chance that you would prefer to not use the default options. Default DNS resolution options in Nmap function well, but fine-tuning will usually provide better results. These options can significantly impact scanning speed and the amount of information gathered.
No DNS Resolution (-n): This option instructs Nmap to skip reverse DNS resolution for active IP addresses, resulting in faster scanning times by avoiding the potential slowness of DNS lookups.
DNS Resolution for All Targets (-r): This option instructs Nmap to perform reverse DNS resolution on all target IP addresses, regardless of whether they are online or not. By default, reverse DNS resolution is only performed on responsive hosts. This option can be useful for obtaining a complete list of DNS names associated with a set of IP addresses, even if some of those IP addresses are not currently online.
System DNS Resolver (--system-dns): This option in Nmap uses the system's DNS resolver instead of sending queries directly to the configured name servers. By default, Nmap sends multiple parallel queries to improve performance. However, with this option, Nmap sends one query at a time using the getnameinfo call, which is slower. It is generally only used if there is an issue with the Nmap parallel resolver, and the system resolver is always used for IPv6 scans.
Specify DNS Servers (--dns-servers): This option allows you to specify alternate DNS servers for reverse DNS queries. By default, Nmap uses DNS servers from your system's configuration. This option is particularly useful when scanning private networks with limited information about available name servers. It can also improve speed and stealth by bouncing requests off different recursive DNS servers. Note that this option is not available when using --system-dns or an IPv6 scan. To find the right name server, you can scan the network for port 53 and use Nmap list scans (-sL) with --dns-servers to try each server until one works.
Host Discovery Capabilities
Nmap's default approach is to start with a ping scan to identify which hosts are online before moving on to more invasive scans such as port scans, OS detection, Nmap Scripting Engine, or version detection. This strategy can save significant time and network resources, as only the hosts that respond to the ping scan are subjected to the more intensive scans. However, there are situations where this approach may not be suitable. In some cases, you may want to scan all IP addresses on a network without a ping scan (-Pn), while in others, you may only want to perform host discovery without a port scan (-sn). Nmap provides several high-level options that can be used to customize this behavior to meet your specific needs.
List Scan (-sL): It's a simple form of host discovery that lists each host of the network(s) specified, without sending any packets to the target hosts. It can be used as a sanity check to ensure that you have proper IP addresses for your targets, and can also provide useful information from hostnames. However, it cannot be combined with higher level functionality such as port scanning or OS detection. If you want to disable host discovery while still performing higher level functionality, use the -Pn option.
No Port Scan (-sn): is a simple option in Nmap that skips the port scanning phase and only prints out the available hosts that responded to the host discovery probes. It is commonly used for light reconnaissance of a target network, allowing an attacker to know how many hosts are up without attracting attention. This option can also be used by systems administrators to count available machines on a network or monitor server availability. The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default. When executed by an unprivileged user, only SYN packets are sent to ports 80 and 443 on the target. When a privileged user tries to scan targets on a local ethernet network, ARP requests are used unless --send-ip was specified. The -sn option can be combined with any of the discovery probe types for greater flexibility.
No Ping Scan (-Pn): is a powerful optionfor scanning large networks or cases where ping requests are not allowed. It skips the host discovery stage and allows Nmap to attempt scanning functions against every specified target IP address without determining active machines first. This means that Nmap will continue to perform requested functions as if each target IP is active, but default timing parameters are used, which may result in slower scans.
TCP SYN Ping (-PS): This option sends an empty TCP packet with the SYN flag set to a default port of 80. Alternate ports can be specified using a comma-separated list (e.g., -PS22-25,80,113,1050,35000), with no spaces between -PS and the port list. Multiple probes are sent in parallel. If the port is closed, Nmap receives a RST packet in response, while an open port prompts the target to send a SYN/ACK packet. Nmap then tears down this connection with a RST packet to determine whether the host is available and responsive.
TCP ACK Ping (-PA): This option is a TCP ACK ping that sends an empty TCP packet with the ACK flag set instead of SYN flag like the SYN ping. It uses the same default port (80) and comma-separated list format for alternate ports. The ACK ping is more effective against stateless firewalls that block incoming SYN packets to closed ports, and Nmap uses the connect workaround if an unprivileged user tries to use -PA. Both SYN and ACK probes are offered to maximize the chances of bypassing firewalls that use different types of filtering rules. Firewalls with stateful rules are more likely to recognize unexpected ACK packets as bogus and drop them, making the SYN probe more effective. Using both SYN and ACK probes by specifying -PS and -PA is a solution to this quandary.
UDP ping (-PU): This is an alternative host discovery option that sends a UDP packet to specified ports, with most using an empty packet but some using a protocol-specific payload for better responses. The port list format is the same as for -PS and -PA, and the default port is 40125, which can be changed at compile-time. Closed ports should generate an ICMP port unreachable packet in response, indicating that the target is up, while other types of ICMP errors or no response indicate an unreachable or down host. The UDP ping can bypass firewalls and filters that only screen TCP, as shown with the Linksys BEFW11S4 wireless broadband router that filtered TCP ports but could be detected with UDP probes.
Traceroute (--traceroute): option is a post-scan feature that helps determine the optimal port and protocol for reaching the target. It works with all scan types except for connect scans (-sT) and idle scans (-sI) and is executed in parallel. To perform traceroute, Nmap sends packets with a low TTL and monitors for ICMP Time Exceeded messages from intermediate hops. Unlike standard traceroute implementations that start with a TTL of 1 and increment it until the target is reached, Nmap starts with a high TTL and decrements it to zero. This technique allows Nmap to use caching algorithms that result in sending fewer packets per host, typically 5-10 fewer packets, depending on network conditions. For single subnets, such as 192.168.0.0/24, Nmap may only need to send two packets to most hosts.
To skip host discovery and port scanning while still allowing NSE to run, you can use the -Pn and -sn options together. However, note that ARP scanning is still performed for machines on a local Ethernet network, unless you use the --disable-arp-ping or --send-ip options.
Conclusion
Thank you for reading part two of Nmap: Scan All the Things! I hope you found this informative and useful in building a foundation of knowledge about this powerful tool. In the near future, I plan to write more detailed posts in the Nmap series about Nmap's scan phases, flags, and various scanning techniques that can be used to explore a network. I will also record a demonstration of Nmap.
If you are interested in cybersecurity and cybersecurity news and trends, be sure to visit Cyb3r-S3c frequently and check out my YouTube channel, Cyb3r-0verwatch. All of the information presented in my post is based on my own research and my 22 years of IT/Cybersecurity experience, so please use it in a way that is most helpful to you. If you have any questions, please feel free to reach out to me using the Cyb3r-S3c Contact Form. Thank you again for visiting Cyb3r-S3c, keep learning - the only way to improve is to keep acquiring knowledge!
/Signing Off
Pragmat1c_0n3
Comments