#readwise
# Network Enumeration with Nmap - Host Discovery

## Metadata
- Author: [[Hack The Box]]
- Full Title: Network Enumeration with Nmap - Host Discovery
- URL: https://academy.hackthebox.com/module/19/section/101
## Summary
Nmap is a tool used for discovering which systems are online during a network penetration test. It can use ICMP echo requests to check if hosts are active. Scans can be performed on entire networks, lists of IPs, multiple IPs, or single IPs. It is important to save scan results for comparison and documentation.
## Highlights
When we need to conduct an internal penetration test for the entire network of a company, for example, then we should, first of all, get an overview of which systems are online that we can work with. To actively discover such systems on the network, we can use various `Nmap` host discovery options. There are many options `Nmap` provides to determine whether our target is alive or not. ([View Highlight](https://read.readwise.io/read/01jp03r0qtqbv3h501dfc670k3)) ^s2g5hj
---
```sh
sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5
```
> 10.129.2.4
> 10.129.2.10
> 10.129.2.11
> 10.129.2.18
> 10.129.2.19
> 10.129.2.20
> 10.129.2.28
([View Highlight](https://read.readwise.io/read/01jp0501ns1d0nezywthgwycay))
---
| Scanning Options | Description |
| ---------------- | ---------------------------------------------------------------- |
| `10.129.2.0/24` | Target network range. |
| `-sn` | Disables port scanning. |
| `-oA tnet` | Stores the results in all formats starting with the name 'tnet'. |
([View Highlight](https://read.readwise.io/read/01jp03wtvq052ysqvadpazm06f))
---
If we disable port scan (`-sn`), Nmap automatically ping scan with `ICMP Echo Requests` (`-PE`). Once such a request is sent, we usually expect an `ICMP reply` if the pinging host is alive. ^1tlnjs
The more interesting fact is that our previous scans did not do that because before Nmap could send an ICMP echo request, it would send an `ARP ping` resulting in an `ARP reply`. We can confirm this with the "`--packet-trace`" option. To ensure that ICMP echo requests are sent, we also define the option (`-PE`) for this.
```sh
sudo nmap 10.129.2.18 -sn -oA host -PE --packet-trace
```
> Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:08 CEST
> SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
> RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
> Nmap scan report for 10.129.2.18
> Host is up (0.023s latency).
> MAC Address: DE:AD:00:00:BE:EF
> Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
| Scanning Options | Description |
| ---------------- | ------------------------------------------------------------------------ |
| `10.129.2.18` | Performs defined scans against the target. |
| `-sn` | Disables port scanning. |
| `-oA host` | Stores the results in all formats starting with the name 'host'. |
| `-PE` | Performs the ping scan by using 'ICMP Echo requests' against the target. |
| `--packet-trace` | Shows all packets sent and received |
([View Highlight](https://read.readwise.io/read/01jp056vfb9y91w3tk6wwcj1js))
---
Another way to determine why Nmap has our target marked as "alive" is with the "`--reason`" option.
```sh
sudo nmap 10.129.2.18 -sn -oA host -PE --reason
```
> Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 00:10 CEST
> SENT (0.0074s) ARP who-has 10.129.2.18 tell 10.10.14.2
> RCVD (0.0309s) ARP reply 10.129.2.18 is-at DE:AD:00:00:BE:EF
> Nmap scan report for 10.129.2.18
> Host is up, received arp-response (0.028s latency).
> MAC Address: DE:AD:00:00:BE:EF
> Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
|Scanning Options| Description|
|-|-|
|`10.129.2.18`| Performs defined scans against the target.|
|`-sn`| Disables port scanning.|
|`-oA host`| Stores the results in all formats starting with the name 'host'.|
|`-PE`| Performs the ping scan by using 'ICMP Echo requests' against the target.|
|`--reason`| Displays the reason for specific result. |
([View Highlight](https://read.readwise.io/read/01jp058axx4x2kgj4x84p1xvgb))
---
We see here that `Nmap` does indeed detect whether the host is alive or not through the `ARP request` and `ARP reply` alone.
To disable ARP requests and scan our target with the desired `ICMP echo requests`, we can disable ARP pings by setting the "`--disable-arp-ping`" option. Then we can scan our target again and look at the packets sent and received. ^sjp1ql
([View Highlight](https://read.readwise.io/read/01jp05a065dtxwa996sxsbhxdb))
---