Summary and Objective

Summary:

• Covers various Nmap techniques for host discovery beyond simple pings (-sn, -PE, -PP, -PM, -PS[ports], -PA[ports], -PU[ports], -PR).
• Discusses target specification (CIDR, ranges, lists), excluding targets (--exclude), and inputting targets from a file (-iL).
• Introduces basic timing templates (-T0 through -T5) and their implications.

Objective:

• To equip students with a solid understanding of Nmap's host discovery mechanisms, enabling them to accurately identify live systems on a target network, select appropriate discovery techniques based on network conditions, and correctly define scan scopes.

Notes

What is host discovery and why is it important?

Host discovery is the initial phase in any network reconnaissance or security audit. Before you can probe for open ports, identify services, or detect vulnerabilities, you must first determine which hosts are online and responsive on the target network. Attempting to scan IP addresses that aren't active is inefficient, wastes time, and can generate unnecessary network noise, potentially alerting network defenders prematurely. Effective host discovery narrows down the scope of your subsequent, more intensive scanning efforts, making the entire process more efficient and targeted. Think of it as creating a map of active settlements before exploring each one in detail.

Ethical considerations

It's ipmortant to emphasize that Nmap, while a powerful tool for network administrators and security professionals, must only be used on networks where you have explicit, written authorization. Unauthorized scanning can be perceived as an attack and may have legal consequences.

In this course, all Nmap activities will be conducted within isolated, virtual lab environments designed for safe practice. Understanding the "rules of engagement" is as critical as understanding Nmap's syntax. We are learning these techniques for defensive purposes and authorized security assessments.

Host discovery process

Nmap doesn't just rely on a single method to determine if a host is up. By default, for a privileged user (like root or administrator), Nmap sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request to each target. If any of these probes elicit a response, Nmap considers the host to be online. For unprivileged users who cannot send raw packets, Nmap resorts to a TCP three-way handshake by attempting to connect to common ports (like 80 and 443). If a connection is successfully established (even if it's immediately closed), the host is marked as up. This multi-probe approach increases the chances of finding live hosts, even if some probe types are blocked by firewalls.