Nmap Host Discovery - Nikola's Digital Garden

#readwise # Nmap Host Discovery ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article1.be68295a7e40.png) ## Metadata - Author: [[nmap.org]] - Full Title: Nmap Host Discovery - URL: https://nmap.org/book/man-host-discovery.html ## Summary Host discovery is the process of finding active IP addresses in a network. Nmap offers various techniques for this, beyond just simple ping requests. Users can customize their scans to focus on specific services or to bypass firewalls. The default setting uses a combination of probes to identify active hosts before performing a port scan. ## Highlights One of the very first steps in any network reconnaissance mission is to reduce a (sometimes huge) set of IP ranges into a list of active or interesting hosts. Scanning every port of every single IP address is slow and usually unnecessary. Of course what makes a host interesting depends greatly on the scan purposes. Network administrators may only be interested in hosts running a certain service, while security auditors may care about every single device with an IP address. An administrator may be comfortable using just an ICMP ping to locate hosts on his internal network, while an external penetration tester may use a diverse set of dozens of probes in an attempt to evade firewall restrictions. ([View Highlight](https://read.readwise.io/read/01jp9ntyx25jxj0xgej93ahf8d)) ^aoqmeq --- Users can skip the discovery step entirely with a list scan (`-sL`) or by disabling host discovery (`-Pn`), or engage the network with arbitrary combinations of multi-port TCP SYN/ACK, UDP, SCTP INIT and ICMP probes. The goal of these probes is to solicit responses which demonstrate that an IP address is actually active ([View Highlight](https://read.readwise.io/read/01jp9ny2rarn41pr5ysftadz2n)) ^69vgt8 --- If no host discovery options are given, Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. (For IPv6, the ICMP timestamp request is omitted because it is not part of ICMPv6.) These defaults are equivalent to the `-PE -PS443 -PA80 -PP` options. The exceptions to this are the ARP (for IPv4) and Neighbor Discovery (for IPv6) scans which are used for any targets on a local ethernet network. For unprivileged Unix shell users, the default probes are a SYN packet to ports 80 and 443 using the `connect` system call. ([View Highlight](https://read.readwise.io/read/01jp9p09a7gbdc8qzej1cfm3qk)) ^lr07mb --- ARP/Neighbor Discovery is done by default against targets on a local Ethernet network even if you specify other `-P*` options, because it is almost always faster and more effective. ([View Highlight](https://read.readwise.io/read/01jp9p1bdwb7xhxxa66r84eetc)) ^pl4u0b --- Nmap does host discovery and then performs a port scan against each host it determines is online. This is true even if you specify non-default host discovery types such as UDP probes (`-PU`). Read about the `-sn` option to learn how to perform only host discovery, or use `-Pn` to skip host discovery and port scan all target addresses. ([View Highlight](https://read.readwise.io/read/01jp9p2jd1z1xzs8z1nj1thgb6)) ^cyn2ek --- `-sL` (List Scan) The list scan is a degenerate form of host discovery that simply lists each host of the network(s) specified, without sending any packets to the target hosts. By default, Nmap still does reverse-DNS resolution on the hosts to learn their names. It is often surprising how much useful information simple hostnames give out. ([View Highlight](https://read.readwise.io/read/01jp9p6285jr8np4rtt2avaey7)) ^2lnfc0 --- `-sn` (No port scan) This option tells Nmap not to do a port scan after host discovery, and only print out the available hosts that responded to the host discovery probes. This is often known as a “ping scan”, but you can also request that traceroute and NSE host scripts be run. This is by default one step more intrusive than the list scan, and can often be used for the same purposes. It allows light reconnaissance of a target network without attracting much attention. Knowing how many hosts are up is more valuable to attackers than the list provided by list scan of every single IP and host name. Systems administrators often find this option valuable as well. It can easily be used to count available machines on a network or monitor server availability. This is often called a ping sweep, and is more reliable than pinging the broadcast address because many hosts do not reply to broadcast queries. ([View Highlight](https://read.readwise.io/read/01jp9p9qdd81bp4nprs70twfh5)) ^574h8b --- `-Pn` (No ping) This option skips the host discovery stage altogether. Normally, Nmap uses this stage to determine active machines for heavier scanning and to gauge the speed of the network. By default, Nmap only performs heavy probing such as port scans, version detection, or OS detection against hosts that are found to be up. Disabling host discovery with `-Pn` causes Nmap to attempt the requested scanning functions against *every* target IP address specified. So if a /16 sized network is specified on the command line, all 65,536 IP addresses are scanned. Proper host discovery is skipped as with the list scan, but instead of stopping and printing the target list, Nmap continues to perform requested functions as if each target IP is active. Default timing parameters are used, which may result in slower scans. To skip host discovery *and* port scan, while still allowing NSE to run, use the two options `-Pn -sn` together. For machines on a local ethernet network, ARP scanning will still be performed (unless `--disable-arp-ping` or `--send-ip` is specified) because Nmap needs MAC addresses to further scan target hosts. ([View Highlight](https://read.readwise.io/read/01jp9pg16swtyazyn15n2qy6hr)) ^5ez2j4 --- `-PS <port list>` (TCP SYN Ping) This option sends an empty TCP packet with the SYN flag set. ... On Unix boxes, only the privileged user `root` is generally able to send and receive raw TCP packets. For unprivileged users, a workaround is automatically employed whereby the `connect` system call is initiated against each target port. This has the effect of sending a SYN packet to the target host, in an attempt to establish a connection. ^30bxaj --- `-PA <port list>` (TCP ACK Ping) The TCP ACK ping is quite similar to the just-discussed SYN ping. The difference, as you could likely guess, is that the TCP ACK flag is set instead of the SYN flag. Such an ACK packet purports to be acknowledging data over an established TCP connection, but no such connection exists. So remote hosts should always respond with a RST packet, disclosing their existence in the process. The `-PA` option uses the same default port as the SYN probe (80) and can also take a list of destination ports in the same format. If an unprivileged user tries this, the `connect` workaround discussed previously is used. ([View Highlight](https://read.readwise.io/read/01jpb4yyhz6zehmfssz3preda9)) ^k7drjt --- `-PU <port list>` (UDP Ping) Another host discovery option is the UDP ping, which sends a UDP packet to the given ports. For most ports, the packet will be empty, though some use a protocol-specific payload that is more likely to elicit a response. The payloads are the same probes used in service and version detection ... The port list takes the same format as with the previously discussed `-PS` and `-PA` options. If no ports are specified, the default is 40125. ^ilctvy --- `-PE`; `-PP`; `-PM` (ICMP Ping Types) In addition to the unusual TCP, UDP and SCTP host discovery types discussed previously, Nmap can send the standard packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, expecting a type 0 (echo reply) in return from available hosts. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by [RFC 1122](http://www.rfc-editor.org/rfc/rfc1122.txt). For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators monitoring an internal network, they can be a practical and efficient approach. Use the `-PE` option to enable this echo request behavior. While echo request is the standard ICMP ping query, Nmap does not stop there. The ICMP standards ([RFC 792](http://www.rfc-editor.org/rfc/rfc792.txt) and [RFC 950](http://www.rfc-editor.org/rfc/rfc950.txt) ) also specify timestamp request, information request, and address mask request packets as codes 13, 15, and 17, respectively. While the ostensible purpose for these queries is to learn information such as address masks and current times, they can easily be used for host discovery. A system that replies is up and available. Nmap does not currently implement information request packets, as they are not widely supported. RFC 1122 insists that “a host SHOULD NOT implement these messages”. Timestamp and address mask queries can be sent with the `-PP` and `-PM` options, respectively. A timestamp reply (ICMP code 14) or address mask reply (code 18) discloses that the host is available. These two queries can be valuable when administrators specifically block echo request packets while forgetting that other ICMP queries can be used for the same purpose. ([View Highlight](https://read.readwise.io/read/01jpb59pbmyxx96j9xs9fxgewq)) ^k1j9py --- `--disable-arp-ping` (No ARP or ND Ping) Nmap normally does ARP or IPv6 Neighbor Discovery (ND) discovery of locally connected ethernet hosts, even if other host discovery options such as `-Pn` or `-PE` are used. To disable this implicit behavior, use the `--disable-arp-ping` option. The default behavior is normally faster, but this option is useful on networks using proxy ARP, in which a router speculatively replies to all ARP requests, making every target appear to be up according to ARP scan. ([View Highlight](https://read.readwise.io/read/01jp9pyftrk3x0e9vtb8pgb59a)) ^maumfk ---